deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-29 09:13:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

Browse Source
This commit is contained in:
jdeckerMS
2017-05-31 07:45:18 -07:00
parent e846d959fa e23652118c
commit 239f41aedf
555 changed files with 144218 additions and 616 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.openpublishing.publish.config.json
View File

@ -398,8 +398,7 @@
"branches_to_filter": [
""
],
"git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/windows-itpro-docs",
"git_repository_branch_open_to_public_contributors": "master",
"git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/win-cpub-itpro-docs",
"skip_source_output_uploading": false,
"need_preview_pull_request": true,
"dependent_repositories": [
@ -424,7 +423,12 @@
"master": [
"Publish",
"Pdf"
],
"msesdemo": [
"Publish",
"Pdf"
]
},
"need_generate_pdf_url_template": true,
"Targets": {

10
.openpublishing.redirection.json
View File

@ -62,27 +62,27 @@
},
{
"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
"redirect_url": "/itpro/surface-hub/finishing-your-surface-hub-meeting",
"redirect_url": "/surface-hub/finishing-your-surface-hub-meeting",
"redirect_document_id": true
},
{
"source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md",
"redirect_url": "/itpro/surface-hub/provisioning-packages-for-surface-hub",
"redirect_url": "/surface-hub/provisioning-packages-for-surface-hub",
"redirect_document_id": true
},
{
"source_path": "devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md",
"redirect_url": "/itpro/surface-hub/admin-group-management-for-surface-hub",
"redirect_url": "/surface-hub/admin-group-management-for-surface-hub",
"redirect_document_id": true
},
{
"source_path": "devices/surface-hub/surface-hub-administrators-guide.md",
"redirect_url": "/itpro/surface-hub/index",
"redirect_url": "/surface-hub/index",
"redirect_document_id": true
},
{
"source_path": "devices/surface-hub/intro-to-surface-hub.md",
"redirect_url": "/itpro/surface-hub/index",
"redirect_url": "/surface-hub/index",
"redirect_document_id": false
},
{

14
browsers/internet-explorer/TOC.md
View File

@ -20,7 +20,7 @@
###[Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md)
##[Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md)
##[Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md)
###[What is Enterprise Mode?](ie11-deploy-guide/what-is-enterprise-mode.md)
###[Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md)
###[Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md)
###[Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md)
###[Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md)
@ -40,6 +40,18 @@
####[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
####[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
####[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
###[Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
####[Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
#####[Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
#####[Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md)
####[Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md)
#####[Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md)
#####[Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md)
#####[Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md)
#####[Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md)
#####[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md)
#####[View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md)
#####[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md)
###[Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md)
###[Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md)
###[Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md)

64
browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,64 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to add employees to the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Add employees to the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
The available roles are:
- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
**To add an employee to the Enterprise Mode Site List Portal**
1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
The **Employee management** page appears.
2. Click **Add a new employee**.
The **Add a new employee** page appears.
3. Fill out the fields for each employee, including:
- **Email.** Add the employee's email address.
- **Name.** This box autofills based on the email address.
- **Role.** Pick a single role for the employee, based on the list above.
- **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
- **Comments.** Add optional comments about the employee.
- **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
4. Click **Save**.
**To export all employees to an Excel spreadsheet**
1. On the **Employee management** page, click **Export to Excel**.
2. Save the EnterpriseModeUsersList.xlsx file.
The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.

58
browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,58 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Approve a change request using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
## Approve or reject a change request
The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
**To approve or reject a change request**
1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
## Send a reminder to the Approver(s) group
If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
An email is sent to the selected Approver(s).
## View rejected change requests
The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
**To view the rejected change request**
- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
All rejected change requests appear, with role assignment determining which ones are visible.
## Next steps
After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.

5
browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
View File

@ -12,6 +12,11 @@ author: eross-msft
# Change history for Internet Explorer 11
This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
## April 2017
|New or changed topic | Description |
|----------------------|-------------|
|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
## March 2017
|New or changed topic | Description |
|----------------------|-------------|

93
browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,93 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes.
author: eross-msft
ms.prod: ie11
title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Use the Settings page to finish setting up the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes.
## Use the Environment settings area
This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications.
**To add location info**
1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
The **Settings** page appears.
2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**.
3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**.
## Use the Group and role settings area
After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group.
**To add a new group and determine the required change request Approvers**
1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
The **Settings** page appears.
2. In the **Group and role settings** area of the page, click **Group details**.
The **Add or edit group names** box appears.
3. Click the **Add group** tab, and then add the following info:
- **New group name.** Type name of your new group.
- **Group head email.** Type the email address for the primary contact for the group.
- **Group head name.** This box automatically fills, based on the email address.
- **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box.
4. Click **Save**.
**To set a group's required Approvers**
1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box.
2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles.
- **App Manager.** All employees in the selected group must get change request approval by someone assigned this role.
You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
- **Group Head.** All employees in the selected group must get change request approval by someone assigned this role.
You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
- **Administrator.** All employees in the selected group must get change request approval by someone assigned this role.
## Use the Freeze production changes area
This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date.
**To add the start and end dates**
1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
The **Settings** page appears.
2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time.
3. Click **Save**.
## Related topics
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)

69
browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,69 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to create a change request within the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Create a change request using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
>[!Important]
>Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
**To create a new change request**
1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
The **Create new request** page appears.
2. Fill out the required fields, based on the group and the app, including:
- **Group name.** Select the name of your group from the dropdown box.
- **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
- **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
- **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list.
- **Requested by.** Automatically filled in with your name.
- **Description.** Add descriptive info about the app.
- **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**.
- **Reason for request.** Select the best reason for why you want to update, delete, or add the app.
- **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change.
- **App location (URL).** The full URL location to the app, starting with http:// or https://.
- **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
- **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/en-us/library/cc288325(v=vs.85).aspx).
4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
- **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
- **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
## Next steps
After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.

5
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
View File

@ -2,7 +2,7 @@
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company.
author: eross-msft
ms.prod: ie11
ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e
@ -26,7 +26,7 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an
## In this section
|Topic |Description |
|---------------------------------------------------------------|-----------------------------------------------------------------------------------|
|[What is Enterprise Mode?](what-is-enterprise-mode.md) |Includes descriptions of the features of Enterprise Mode. |
|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. |
|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. |
|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. |
|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
@ -34,6 +34,7 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an
|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. |
|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.|
|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. |
|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. |
|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. |
|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. |
|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. |

2
browsers/internet-explorer/ie11-deploy-guide/index.md
View File

@ -33,7 +33,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
|[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. |
|[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. |
|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Use IE to collect data on computers running Windows Internet Explorer 8 through IE11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. |
|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. |
|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode, the Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal in your company. |
|[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. |
|[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. |
|[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. |

49
browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,49 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Schedule approved change requests for production using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time.
**To schedule an immediate change**
1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
2. The Requester clicks the **Approved** status for the change request.
The **Schedule changes** page appears.
3. The Requester clicks **Now**, and then clicks **Save**.
The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes.
**To schedule the change for a different day or time**
1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
2. The Requester clicks the **Approved** status for the change request.
The **Schedule changes** page appears.
3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**.
The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes.
## Next steps
After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic.

231
browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,231 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to set up the Enterprise Mode Site List Portal for your organization.
author: eross-msft
ms.prod: ie11
title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Set up the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment.
## Step 1 - Copy the deployment folder to the web server
You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server.
**To download the source code**
1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server.
2. Install the Node.js® package manager, [npm](https://www.npmjs.com/).
>[!Note]
>You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
3. Open File Explorer and then open the **EMIEWebPortal/** folder.
4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**.
5. Type _npm i_ into the command prompt, then press **Enter**.
Installs the npm package manager and bulk adds all the third-party libraries back into your codebase.
6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution.
7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
## Step 2 - Create the Application Pool and website, by using IIS
Create a new Application Pool and the website, by using the IIS Manager.
**To create a new Application Pool**
1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**.
The **Add Application Pool** box appears.
2. In the **Add Application Pool** box, enter the following info:
- **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_.
- **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher.
- **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content.
3. Click **OK**.
4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane.
The **Advanced Settings** box appears.
5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box.
6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_.
7. Right-click on the directory, click **Properties**, and then click the **Security** tab.
8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer.
9. Add **Everyone** to the list with **Read & execute access**.
**To create the website**
1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**.
The **Add Website** box appears.
2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**.
The **Select Application Pool** box appears.
4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_.
5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_.
6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization.
7. Clear the **Start Website immediately** check box, and then click **OK**.
8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_.
The **<<i>website_name</i>> Home** pane appears.
9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**.
>[!Note]
>You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
10. Return to the **<<i>website_name</i>> Home** pane, and double-click the **Connection Strings** icon.
11. Open the **LOBMergedEntities Connection String** to edit:
- **Data source.** Type the name of your local computer.
- **Initial catalog.** The name of your database.
>[!Note]
>Step 3 of this topic provides the steps to create your database.
## Step 3 - Create and prep your database
Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
**To create and prep your database**
1. Start SQL Server Management Studio.
2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine.
3. Expand the instance, right-click on **Databases**, and then click **New Database**.
4. Type a database name. For example, _EMIEDatabase_.
5. Leave all default values for the database files, and then click **OK**.
6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory.
7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_.
8. Run the query.
## Step 4 - Map your Application Pool to a SQL Server role
Map your ApplicationPoolIdentity to your database, adding the db_owner role.
**To map your ApplicationPoolIdentity to a SQL Server role**
1. Start SQL Server Management Studio and connect to your database.
2. Expand the database instance and then open the server-level **Security** folder.
> [!IMPORTANT]
> Make sure you open the **Security** folder at the server level and not for the database.
3. Right-click **Logins**, and then click **New Login**.
The **Login-New** dialog box appears.
4. Type the following into the **Login name** box, based on your server instance type:
- **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_.
- **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`.
> [!IMPORTANT]
> Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID).
5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane.
6. Click **OK**.
## Step 5 - Restart the Application Pool and website
Using the IIS Manager, you must restart both your Application Pool and your website.
**To restart your Application Pool and website**
1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane.
2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane.
## Step 6 - Registering as an administrator
After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal.
**To register as an administrator**
1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085.
2. Click **Register now**.
3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box.
4. Click **Administrator** from the **Role** box, and then click **Save**.
5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole.
A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit.
6. Select your name from the available list, and then click **Activate**.
7. Go to the Enterprise Mode Site List Portal Home page and sign in.
## Step 7 - Configure the SMTP server and port for email notification
After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system.
**To set up your SMTP server and port for emails**
1. Open Visual Studio, and then open the web.config file from your deployment directory.
2. Update the SMTP server and port info with your info, using this format:
```
<add key="host" value="SMTPHOST.corp.contoso.com"/>
<add key="port" value="2500"/>
```
3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info.
## Step 8 - Register the scheduler service
Register the EMIEScheduler tool and service for production site list changes.
**To register the scheduler service**
1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\.
>[!Important]
>If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_.
3. Run the command, `InstallUtil "<path_to_service>"`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._
You'll be asked for your user name and password for the service.
4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service.
## Related topics
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)

79
browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,79 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal.
ms.prod: ie11
title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Use the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration thats designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users.
## Minimum system requirements for portal and test machines
Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
|Item |Description |
|-----|------------|
|Operating system |Windows 7 or later |
|Memory |16 GB RAM |
|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security |
|Active Directory (AD) |Devices must be domain-joined |
|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later |
|Visual Studio |Visual Studio 2015 or later |
|Node.js® package manager |npm Developer version or higher |
|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later |
## Role assignments and available actions
Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table.
|Role assignment |Available actions |
|----------------|------------------|
|Requester |<ul><li>Create a change request</li><br><br><li>Validate changes in the pre-production environment</li><br><br><li>Rollback pre-production and production changes in case of failure</li><br><br><li>Send approval requests</li><br><br><li>View own requests</li><br><br><li>Sign off and close own requests</li></ul> |
|Approver<br><br>(includes the App Manager and Group Head roles) |<ul><li>All of the Requester actions, plus:</li><br><br><li>Approve requests</li></ul> |
|Administrator |<ul><li>All of the Requester and Approver actions, plus:</li><br><br><li>Add employees to the portal</li><br><br><li>Assign employee roles</li><br><br><li>Approve registrations to the portal</li><br><br><li>Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)</li><br><br><li>Use the standalone Enterprise Mode Site List Manager page</li><br><br><li>View reports</li></ul> |
## Enterprise Mode Site List Portal workflow by employee role
The following workflow describes how to use the Enterprise Mode Site List Portal.
1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md)
2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md)
3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md)
4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md)
5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md)
## Related topics
- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md)
- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
 
 

66
browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,66 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Verify your changes using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
>[!Important]
>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry.
## Verify and send the change request to Approvers
The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful.
**To verify changes and send to the Approver(s)**
1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**.
The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval.
**To rollback your pre-production changes**
1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**.
The change request and issue info are sent to the Administrators.
3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment.
After the Requester rolls back the changes, the request can be updated and re-submitted.
## View rolled back change requests
The original Requester and the Administrator(s) group can view the rolled back change requests.
**To view the rolled back change request**
- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane.
All rolled back change requests appear, with role assignment determining which ones are visible.
## Next steps
If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic.

41
browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,41 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
## Verify and sign off on the update in the production environment
The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful.
**To verify the changes and sign off**
- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**.
The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off.
**To rollback production changes**
1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results.
2. Add a description about the issue into the **Change description** box, and then click **Send failure details**.
The info is sent to the Administrators.
3. The Requester clicks **Roll back** to roll back the changes in the production environment.
After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists.

37
browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md Normal file
View File

@ -0,0 +1,37 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List.
**To view the active Enterprise Mode Site List**
1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page.
The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser.
**To export the active Enterprise Mode Site List**
1. On the **Production sites list** page, click **Export**.
2. Save the ProductionSiteList.xlsx file.
The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser.

49
browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md Normal file
View File

@ -0,0 +1,49 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal.
**To view the reports**
1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page.
The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers.
3. Click **Apply**.
The reports all change to reflect the appropriate timeframe and group, including:
- **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List.
- **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field.
- **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**.
- **All requests by status.** Shows how many change requests exist, based on each status.
- **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field.
- **Request status by group.** Shows how many change requests exist, based on both group and status.
- **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field.
- **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**.

142
browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
View File

@ -6,12 +6,12 @@ description: Info about the features included in Enterprise Mode with Internet E
author: eross-msft
ms.prod: ie11
ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa
title: What is Enterprise Mode (Internet Explorer 11 for IT Pros)
title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# What is Enterprise Mode?
# Enterprise Mode and the Enterprise Mode Site List
**Applies to:**
@ -21,28 +21,146 @@ ms.sitesec: library
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration thats designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to the latest version of IE. In particular, IE11 lets customers benefit from modern web standards, increased performance, improved security, and better reliability.
## Available dual-browser experiences
Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment:
## Enterprise Mode features
- Use Microsoft Edge as your primary browser.
- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies.
- Use Microsoft Edge as your primary browser and open all intranet sites in IE11.
- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies.
For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog.
## What is Enterprise Mode?
Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10 devices, lets websites render using a modified browser configuration thats designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
### Enterprise Mode features
Enterprise Mode includes the following features:
- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting a number of site patterns that arent currently supported by existing document modes.
- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that arent currently supported by existing document modes.
- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. <p>
- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.
Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema.
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the **Tools** menu and to decide whether the Enterprise browser profile appears on the **Emulation** tab of the F12 developer tools.<p>**Important**<br>All centrally-made decisions override any locally-made choices. 
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
>[!Important]
>All centrally-made decisions override any locally-made choices.
- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
 
- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
 
## Enterprise Mode and the Enterprise Mode Site List XML file
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
### Site list xml file
This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
```xml
<site-list version="205">
<!--- File creation header --->
<created-by>
<tool>EnterpriseSiteListManager</tool>
<version>10586</version>
<date-created>20150728.135021</date-created>
</created-by>
<!--- Begin Site List --->
<site url="www.cpandl.com">
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="www.woodgrovebank.com">
<compat-mode>default</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="adatum.com">
<compat-mode>IE7Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="relecloud.com"/>
<!-- default for self-closing XML tag is
<compat-mode>default</compat-mode>
<open-in>none</open-in>
-->
<site url="relecloud.com/products">
<compat-mode>IE8Enterprise"</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="contoso.com/travel">
<compat-mode>IE7</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="fabrikam.com">
<compat-mode>IE7</compat-mode>
<open-in>IE11</open-in>
</site>
</site-list>
```
## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools
You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, weve also provided a couple tools that can make that process even easier.
### Enterprise Mode Site List Manager
This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.
We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema.
If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal.
### Enterprise Mode Site List Portal
The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management.
In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you:
- Manage site lists from any device supporting Windows 7 or greater.
- Submit change requests.
- Operate offline through an on-premise solution.
- Provide role-based governance.
- Test configuration settings before releasing to a live environment.
Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) topics.
## Related topics
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie)
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501)
- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974)
- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)
- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx)
- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)

42
browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,42 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Workflow-based processes for employees using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow.
## In this section
|Topic |Description |
|---------------------------------------------------------------|-----------------------------------------------------------------------------------|
|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.|
|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.|
|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.|
|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.|
|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.|
|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.|
|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. |
## Related topics
- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)

93
education/get-started/get-started-with-microsoft-education.md
View File

@ -174,20 +174,22 @@ To learn more about the CSV files that are required and the info you need to inc
**<a name="assignclassroom"></a>Assign Classroom license**
The Classroom application is retired, but you will need to assign the Classroom Preview license to yourself and other global admins so that you can access the services. The single license will allow global admins to access both Classroom Preview and School Data Sync.
The Classroom application is retired, but you will need to assign the Classroom Preview license to global admin accounts that will be used to administer SDS. The single license allows global admins to access both Classroom Preview and School Data Sync.
1. In the <a href="https://portal.office.com/adminportal" target="_blank">Office 365 admin center</a>, select **Users > Active users**.
2. Select the checkbox for your global admin account.
3. In the account details window, under **Product licenses**, click **Edit**.
4. In the **Product licenses** page, turn on **Microsoft Classroom** and then click **Save**.
5. Confirm that you can access SDS. To do this, log in to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
5. Confirm that you can access SDS. To do this:
- Navigate to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a> and click **Sign in**. When prompted, enter your global admin username and password to access the SDS portal. Or,
- From the Office 365 admin portal, go to **Admin centers** and click on **School Data Sync** to go to the SDS portal.
> [!NOTE]
> Only global admins can access SDS.
**<a name="usesdstoimportdata"></a>Use SDS to import student data**
1. If you haven't done so already, To do this, go to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
1. If you haven't done so already, go to the SDS portal, <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
**Figure 6** - Settings for managing SDS
@ -211,7 +213,7 @@ The Classroom application is retired, but you will need to assign the Classroom
![New SDS profile setup wizard](images/sds_updated_addnewprofile.png)
6. For the new profile, in the **Before you begin...** screen:
1. Enter a name for your profile, such as *ContosoElementarySchool*.
1. Enter a name for your profile, such as *Contoso_Profile_1*.
2. Select a sync method for your profile. For this walkthrough, select **CSV Files**.
Note that for any sync method that you choose, you can click the **View steps** link to get more information about the steps you need to take depending on the sync method of your choosing.
@ -219,11 +221,8 @@ The Classroom application is retired, but you will need to assign the Classroom
3. Click **Start**.
7. In the **Sync options** screen:
1. Select the domain for the schools/sections. If you have more than one domain, make sure you select the domain that corresponds to the profile you're creating.
2. In the **Select school and section properties** section, select the properties you want to sync. If you select additional properties, make sure you have these properties and values added in the CSV files. For the walkthrough, we're not changing the default values. These are:
- **School properties:** SIS ID, Name
- **Section properties:** SIS ID, School SIS ID, Section Name
3. In the **Select new or existing users** section, select either **New users** or **Existing users** based on the scenaro that applies to you.
1. In the **Select new or existing users** section, you can select either **New users** or **Existing users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
<!--
- Choose **New users** if this is a brand new tenant and this is the first time that you're adding users.
Choose the **New users** option if you are using an unaltered version of the sample CSV files from [Download sample school data](#downloadcsvsamples) or if you created your own CSV files with new users.
@ -231,36 +230,45 @@ The Classroom application is retired, but you will need to assign the Classroom
- Choose **Existing users** if you already have a live production tenant, with teachers and students that already have active accounts in Office 365 (cloud only or synced from on-premise Active Directory).
Using the **Existing users** option, SDS will not attempt to create new users. Instead, it uses the identity matching options in the next section of the setup wizard to match the students and teachers in your CSV files to the user accounts that already exist in Azure. All additiional details for the students and teachers contained within the CSV files will be written as extension attributes on top of the already existing user objects. You can find more information about these settings on the main SDS deployment page for CSV-based deployments in <a href="http://aka.ms/sdscsv" target="_blank">How to deploy School Data Sync by using CSV files</a>.
4. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names.
5. In the **License Options** section, check the box to select the option.
6. Click **Next**.
-->
2. In the **Import data** section:
1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
4. After all the files are successfully uploaded, click **OK**.
3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
6. In the **License Options** section, check the box to allow users being created to receive an Office 365 license.
7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education.
8. Click **Next**.
**Figure 9** - Sync options for the new profile
![Specify sync options for the new SDS profile](images/sds_addnewprofile_syncoptions.png)
![Specify sync options for the new SDS profile](images/sds_profile_syncoptions.png)
8. In the **Teacher options** screen:
1. Select the domain for the teachers. SDS uses this to match teachers from your source data to their existing accounts in Office 365/Azure Active Directory. In the walkthrough, the CSV files are our source data.
2. In the **Select teacher properties** section, you can add optional teacher properties to sync. For this walkthrough, you don't have to change the default.
1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For this walkthrough, choose **STANDARDWOFFPACK_FACULTY**.
4. Click **Next**.
**Figure 10** - Specify options for teacher mapping
![Specify options for teacher mapping](images/sds_addnewprofile_teacheroptions.png)
![Specify options for teacher mapping](images/sds_profile_teacheroptions.png)
9. In the **Student options** screen:
1. Select the domain for the students. SDS uses this to match students from your source data to their existing accounts in Office 365/Azure Active Directory. In the walkthrough, the CSV files are our source data.
2. In the **Select student properties** section, you can add optional student properties to sync. For this walkthrough, you don't have to change the default.
1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
3. In the **Student licenses** section, choose the SKU to assign licenses for students. For this walkthrough, choose **STANDARDWOFFPACK_STUDENT**.
4. Click **Next**.
**Figure 11** - Specify options for student mapping
![Specify options for student mapping](images/sds_addnewprofile_studentoptions.png)
![Specify options for student mapping](images/sds_profile_studentoptions.png)
10. In the profile **Review** page, review the summary and confirm that the values matches with the data you entered. Click **Create profile**.
10. In the profile **Review** page, review the summary and confirm that the options selected are correct. Click **Create profile**.
You will see a notification that your profile is being created.
@ -268,29 +276,22 @@ The Classroom application is retired, but you will need to assign the Classroom
**Figure 12** - SDS profile page
![SDS profile page](images/sds_profilepage.png)
![SDS profile page](images/sds_profile_profilepage.png)
12. After the profile name at the top, confirm that the status for your profile now says **Ready to sync**.
12. After the profile is created and finished **Setting up**, confirm that the status for your profile now says **Sync enabled**.
If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Ready to sync**.
If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Sync enabled**.
**Figure 13** - New profile is ready to sync
**Figure 13** - New profile is sync enabled
![Confirm that the new profile is ready](images/sds_profile_readytosync.png)
![Confirm that the new profile is sync enabled](images/sds_profile_syncenabled.png)
11. On the profile page, below the profile name and profile status, there are four options: **Upload Files**, **Start Sync**, **Edit**, and **Delete**. Click **Upload Files** and then follow these steps:
1. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
2. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
3. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
4. After all the files are successfully uploaded, click **OK**.
12. On the profile page, click **Start Sync** and then follow these steps:
1. In the **Would you like to start sync for *Profile_Name?*** window, click **Start Sync**. *Profile_Name* should match the name you entered for your profile in the **Before you begin...** screen.
2. Confirm that sync successfully started for the file and then click **OK**.
> [!TIP]
> If you get errors during the pre-sync validation process, your profile status will change to **x Error**. To continue, review or resolve any pre-sync validation errors, and then click **Resume Sync** to start the synchronization cycle.
> [!NOTE]
> Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
>
> You can refresh the page to confirm that your profile synced successfully.
Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
You can refresh the page to confirm that your profile synced successfully.
That's it for importing sample school data using SDS.
@ -401,15 +402,15 @@ Intune for Education provides an **Express configuration** option so you can get
**Figure 22** - Expand the settings group to get more details
![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped.png)
![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
9. For this walkthrough, set the following settings:
- In the **Internet browser settings** group, change the **Send Do Not Track requests to help protect users' privacy** setting to **Block**.
- In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Private Microsoft Store for Business apps** to **Allow**.
- In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
- In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
**Figure 23** - Set some additional settings
![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettingsconfigured_cropped.png)
![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
@ -606,8 +607,8 @@ When a device is owned by the school, you may need to have a single persion addi
Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure.
1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
2. Click **Admin centers** and select **Azure AD** to go to the Azure portal.
3. Configure the device settings for the school's Active Directory. From the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>, select **Azure Active Directory > Users and groups > Device settings**.
2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
3. Select **Azure Active Directory > Users and groups > Device settings**.
**Figure 40** - Device settings in the new Azure portal
@ -622,8 +623,8 @@ When students move from using one device to another, they may need to have their
Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another.
1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
2. Click **Admin centers** and select **Azure AD** to go to the Azure portal.
3. Configure the device settings for the school's Active Directory. From the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>, select **Azure Active Directory > Users and groups > Device settings**.
3. Go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
3. Select **Azure Active Directory > Users and groups > Device settings**.
4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
**Figure 41** - Enable settings to roam with users

BIN
education/get-started/images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
education/get-started/images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
education/get-started/images/sds_profile_profilepage.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
education/get-started/images/sds_profile_studentoptions.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
education/get-started/images/sds_profile_syncenabled.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.9 KiB

BIN
education/get-started/images/sds_profile_syncoptions.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 125 KiB

BIN
education/get-started/images/sds_profile_teacheroptions.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
education/windows/images/suspc_createpackage_configurestudentpcsettings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 166 KiB

BIN
education/windows/images/suspc_createpackage_recommendedapps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 80 KiB

BIN
education/windows/images/suspc_createpackage_signin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
education/windows/images/suspc_createpackage_skipwifi_modaldialog.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
education/windows/images/suspc_createpackage_summary.PNG
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 64 KiB

After

Width:  |  Height:  |  Size: 67 KiB

BIN
education/windows/images/suspc_createpackage_takeatest.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
education/windows/images/suspc_savepackage_insertusb.PNG
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 57 KiB

After

Width:  |  Height:  |  Size: 44 KiB

BIN
education/windows/images/suspc_savepackage_ppkgisready.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

61
education/windows/use-set-up-school-pcs-app.md
View File

@ -132,13 +132,21 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 2** - Verify that the account you selected shows up
![Verify that the account you selected shows up](images/suspc_choosesettings_signin_final.png)
![Verify that the account you selected shows up](images/suspc_createpackage_signin.png)
5. Click **Next**.
4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network.
2. Click **Next**.
2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network.
If you click **Skip**, you will see the following dialog.
* If you select **Got it**, you will go to the next page without Wi-Fi set up.
* If you select **Add Wi-Fi**, you will go back to the Wi-Fi page to add a wireless network.
**Figure 3** - Only skip Wi-Fi if you have a wired Ethernet connection
![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png)
5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page:
1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client.
@ -168,9 +176,9 @@ The **Set up School PCs** app guides you through the configuration choices for t
- To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
**Figure 3** - Configure student PC settings
**Figure 4** - Configure student PC settings
![Configure student PC settings](images/suspc_createpackage_settingspage.png)
![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings.png)
When you're doing configuring the student PC settings, click **Next**.
@ -180,50 +188,49 @@ The **Set up School PCs** app guides you through the configuration choices for t
If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
**Figure 4** - Configure the Take a Test app
**Figure 5** - Configure the Take a Test app
![Configure the Take a Test app](images/suspc_createpackage_takeatestpage.png)
![Configure the Take a Test app](images/suspc_createpackage_takeatest.png)
3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
<!-- comment out
7. If you want to add Microsoft Store for Education apps to the student PCs, you can select from the list of recommended apps in the **Add STEM and Makerspace apps to Student PCs** page.
1. Select the apps that you want to add. You'll see a checkmark on apps that you select.
2. Click **Next**.
8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include Minecraft: Education Edition and several STEM and Makerspace apps.
1. Select the apps that you would like to provision and then click **Next** when you're done.
2. Click **Skip** if you don't want to provision any apps.
**Figure 4** - Select Microsoft Store apps to add to student PCs
**Figure 6** - Select from a set of recommended Microsoft Store apps
![Select Microsoft Store apps to add to student PCs](images/suspc_choosesettings_apps.png)
![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps.png)
The set of recommended Microsoft Store for Education apps may vary from what we show here.
-->
8. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
9. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
**Figure 5** - Review your settings and change them as needed
**Figure 7** - Review your settings and change them as needed
![Review your settings and change them as needed](images/suspc_createpackage_summary.png)
2. Click **Accept**.
9. In the **Insert a USB drive now** page:
10. In the **Insert a USB drive now** page:
1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
3. Click **Save** to save the provisioning package to the USB drive.
**Figure 6** - Select the USB drive and save the provisioning package
**Figure 8** - Select the USB drive and save the provisioning package
![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb_050817.png)
![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png)
10. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
**Figure 7** - Provisioning package is ready
**Figure 9** - Provisioning package is ready
![Provisioning package is ready](images/suspc_ppkgisready_050817.png)
![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png)
12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
**Figure 8** - Line up the student PCs and get them ready for setup
**Figure 10** - Line up the student PCs and get them ready for setup
![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png)
@ -232,7 +239,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.
**Figure 9** - Install the provisioning package on the student PCs
**Figure 11** - Install the provisioning package on the student PCs
![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png)
@ -250,19 +257,19 @@ The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A
If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
**Figure 10** - The first screen during first-run setup in Windows 10 Creators Update (version 1703)
**Figure 12** - The first screen during first-run setup in Windows 10 Creators Update (version 1703)
![The first screen to set up a new PC in Windows 10 Creators Update](images/win10_1703_oobe_firstscreen.png)
2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package.
**Figure 11** - Windows automatically detects the provisioning package and installs it
**Figure 13** - Windows automatically detects the provisioning package and installs it
![Windows automatically detects the provisioning package and installs it](images/suspc_studentpcsetup_installingsetupfile.png)
3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC.
**Figure 12** - Remove the USB drive when you see the message that the media can be removed
**Figure 14** - Remove the USB drive when you see the message that the media can be removed
![You can remove the USB drive when you see the message that the media can be removed](images/suspc_setup_removemediamessage.png)

2
education/windows/windows-editions-for-education-customers.md
View File

@ -39,7 +39,7 @@ Existing devices running Windows 10 Pro, currently activated with the original O
Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
## Windows 10 Education

4
windows/access-protection/credential-guard/credential-guard-considerations.md
View File

@ -28,9 +28,9 @@ in the Deep Dive into Credential Guard video series.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
## NTLM and CHAP Considerations
## Wi-fi and VPN Considerations
When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections.
## Kerberos Considerations

6
windows/access-protection/credential-guard/credential-guard-manage.md
View File

@ -97,7 +97,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
```
### Credential Guard deployment in virtual machines
@ -126,7 +126,7 @@ You can view System Information to check that Credential Guard is running on a P
You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.0.ps1 -Ready
DG_Readiness_Tool_v3.2.ps1 -Ready
```
> [!NOTE]
@ -194,7 +194,7 @@ For more info on virtualization-based security and Device Guard, see [Device Gua
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
DG_Readiness_Tool_v3.2.ps1 -Disable -AutoReboot
```
#### Disable Credential Guard for a virtual machine

3
windows/access-protection/docfx.json
View File

@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
},
"fileMetadata": {},
"template": [],

2
windows/access-protection/enterprise-certificate-pinning.md
View File

@ -6,7 +6,7 @@ author: MikeStephens-MS
description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.
manager: alanth
ms.prod: w10
ms.technology: security
ms.technology: windows
ms.sitesec: library
ms.pagetype: security
localizationpriority: high

3
windows/application-management/docfx.json
View File

@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
},
"fileMetadata": {},
"template": [],

1
windows/client-management/TOC.md
View File

@ -9,4 +9,5 @@
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Mobile Device Management](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

3
windows/client-management/docfx.json
View File

@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
},
"fileMetadata": {},
"template": [],

221
windows/client-management/mdm/TOC.md Normal file
View File

@ -0,0 +1,221 @@
# [Mobile device management](index.md)
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)
## [Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)
## [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
### [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md)
### [Register your free Azure Active Directory subscription](register-your-free-azure-active-directory-subscription.md)
## [Enterprise app management](enterprise-app-management.md)
## [Device update management](device-update-management.md)
## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)
## [Management tool for the Windows Store for Business](management-tool-for-windows-store-for-business.md)
### [REST API reference for Windows Store for Business](rest-api-reference-windows-store-for-business.md)
#### [Data structures for Windows Store for Business](data-structures-windows-store-for-business.md)
#### [Get Inventory](get-inventory.md)
#### [Get product details](get-product-details.md)
#### [Get localized product details](get-localized-product-details.md)
#### [Get offline license](get-offline-license.md)
#### [Get product packages](get-product-packages.md)
#### [Get product package](get-product-package.md)
#### [Get seats](get-seats.md)
#### [Get seat](get-seat.md)
#### [Assign seats](assign-seats.md)
#### [Reclaim seat from user](reclaim-seat-from-user.md)
#### [Bulk assign and reclaim seats from users](bulk-assign-and-reclaim-seats-from-user.md)
#### [Get seats assigned to a user](get-seats-assigned-to-a-user.md)
## [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
## [Certificate renewal](certificate-renewal-windows-mdm.md)
## [Disconnecting from the management infrastructure (unenrollment)](disconnecting-from-mdm-unenrollment.md)
## [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
## [Push notification support for device management](push-notification-windows-mdm.md)
## [OMA DM protocol support](oma-dm-protocol-support.md)
## [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
## [Server requirements for OMA DM](server-requirements-windows-mdm.md)
## [DMProcessConfigXMLFiltered](dmprocessconfigxmlfiltered.md)
## [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
## [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
## [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md)
### [Design a custom configuration service provider](design-a-custom-windows-csp.md)
### [IConfigServiceProvider2](iconfigserviceprovider2.md)
#### [IConfigServiceProvider2::ConfigManagerNotification](iconfigserviceprovider2configmanagernotification.md)
#### [IConfigServiceProvider2::GetNode](iconfigserviceprovider2getnode.md)
### [ICSPNode](icspnode.md)
#### [ICSPNode::Add](icspnodeadd.md)
#### [ICSPNode::Clear](icspnodeclear.md)
#### [ICSPNode::Copy](icspnodecopy.md)
#### [ICSPNode::DeleteChild](icspnodedeletechild.md)
#### [ICSPNode::DeleteProperty](icspnodedeleteproperty.md)
#### [ICSPNode::Execute](icspnodeexecute.md)
#### [ICSPNode::GetChildNodeNames](icspnodegetchildnodenames.md)
#### [ICSPNode::GetProperty](icspnodegetproperty.md)
#### [ICSPNode::GetPropertyIdentifiers](icspnodegetpropertyidentifiers.md)
#### [ICSPNode::GetValue](icspnodegetvalue.md)
#### [ICSPNode::Move](icspnodemove.md)
#### [ICSPNode::SetProperty](icspnodesetproperty.md)
#### [ICSPNode::SetValue](icspnodesetvalue.md)
### [ICSPNodeTransactioning](icspnodetransactioning.md)
### [ICSPValidate](icspvalidate.md)
### [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md)
## [Configuration service provider reference](configuration-service-provider-reference.md)
### [ActiveSync CSP](activesync-csp.md)
#### [ActiveSync DDF file](activesync-ddf-file.md)
### [AllJoynManagement CSP](alljoynmanagement-csp.md)
#### [AllJoynManagement DDF](alljoynmanagement-ddf.md)
### [APPLICATION CSP](application-csp.md)
### [AppLocker CSP](applocker-csp.md)
#### [AppLocker DDF file](applocker-ddf-file.md)
#### [AppLocker XSD](applocker-xsd.md)
### [AssignedAccess CSP](assignedaccess-csp.md)
#### [AssignedAccess DDF file](assignedaccess-ddf.md)
### [BitLocker CSP](bitlocker-csp.md)
#### [BitLocker DDF file](bitlocker-ddf-file.md)
### [BOOTSTRAP CSP](bootstrap-csp.md)
### [BrowserFavorite CSP](browserfavorite-csp.md)
### [CellularSettings CSP](cellularsettings-csp.md)
### [CertificateStore CSP](certificatestore-csp.md)
#### [CertificateStore DDF file](certificatestore-ddf-file.md)
### [CleanPC CSP](cleanpc-csp.md)
#### [CleanPC DDF](cleanpc-ddf.md)
### [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
#### [ClientCertificateInstall DDF file](clientcertificateinstall-ddf-file.md)
### [CM_CellularEntries CSP](cm-cellularentries-csp.md)
### [CM_ProxyEntries CSP](cm-proxyentries-csp.md)
### [CMPolicy CSP](cmpolicy-csp.md)
### [CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md)
#### [CMPolicyEnterprise DDF file](cmpolicyenterprise-ddf-file.md)
### [CustomDeviceUI CSP](customdeviceui-csp.md)
#### [CustomDeviceUI DDF file](customdeviceui-ddf.md)
### [Defender CSP](defender-csp.md)
#### [Defender DDF file](defender-ddf.md)
### [DevDetail CSP](devdetail-csp.md)
#### [DevDetail DDF file](devdetail-ddf-file.md)
### [DeveloperSetup CSP](developersetup-csp.md)
#### [DeveloperSetup DDF](developersetup-ddf.md)
### [DeviceInstanceService CSP](deviceinstanceservice-csp.md)
### [DeviceLock CSP](devicelock-csp.md)
#### [DeviceLock DDF file](devicelock-ddf-file.md)
### [DeviceManageability CSP](devicemanageability-csp.md)
#### [DeviceManageability DDF](devicemanageability-ddf.md)
### [DeviceStatus CSP](devicestatus-csp.md)
#### [DeviceStatus DDF](devicestatus-ddf.md)
### [DevInfo CSP](devinfo-csp.md)
#### [DevInfo DDF file](devinfo-ddf-file.md)
### [DiagnosticLog CSP](diagnosticlog-csp.md)
#### [DiagnosticLog DDF file](diagnosticlog-ddf.md)
### [DMAcc CSP](dmacc-csp.md)
#### [DMAcc DDF file](dmacc-ddf-file.md)
### [DMClient CSP](dmclient-csp.md)
#### [DMClient DDF file](dmclient-ddf-file.md)
### [DMSessionActions CSP](dmsessionactions-csp.md)
#### [DMSessionActions DDF file](dmsessionactions-ddf.md)
### [DynamicManagement CSP](dynamicmanagement-csp.md)
#### [DynamicManagement DDF file](dynamicmanagement-ddf.md)
### [EMAIL2 CSP](email2-csp.md)
#### [EMAIL2 DDF file](email2-ddf-file.md)
### [EnterpriseAPN CSP](enterpriseapn-csp.md)
#### [EnterpriseAPN DDF](enterpriseapn-ddf.md)
### [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
### [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
#### [EnterpriseAppVManagement DDF file](enterpriseappvmanagement-ddf.md)
### [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)
#### [EnterpriseAssignedAccess DDF file](enterpriseassignedaccess-ddf.md)
#### [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md)
### [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
#### [EnterpriseDataProtection DDF file](enterprisedataprotection-ddf-file.md)
### [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)
#### [EnterpriseDesktopAppManagement DDF](enterprisedesktopappmanagement-ddf-file.md)
#### [EnterpriseDesktopAppManagement XSD](enterprisedesktopappmanagement2-xsd.md)
### [EnterpriseExt CSP](enterpriseext-csp.md)
#### [EnterpriseExt DDF file](enterpriseext-ddf.md)
### [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md)
#### [EnterpriseExtFileSystem DDF file](enterpriseextfilesystem-ddf.md)
### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
#### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md)
#### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
### [FileSystem CSP](filesystem-csp.md)
### [HealthAttestation CSP](healthattestation-csp.md)
#### [HealthAttestation DDF](healthattestation-ddf.md)
### [HotSpot CSP](hotspot-csp.md)
### [Maps CSP](maps-csp.md)
#### [Maps DDF](maps-ddf-file.md)
### [Messaging CSP](messaging-csp.md)
#### [Messaging DDF file](messaging-ddf.md)
### [NAP CSP](nap-csp.md)
### [NAPDEF CSP](napdef-csp.md)
### [NetworkProxy CSP](networkproxy-csp.md)
#### [NetworkProxy DDF file](networkproxy-ddf.md)
### [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
#### [NetworkQoSPolicy DDF file](networkqospolicy-ddf.md)
### [NodeCache CSP](nodecache-csp.md)
#### [NodeCache DDF file](nodecache-ddf-file.md)
### [Office CSP](office-csp.md)
#### [Office DDF](office-ddf.md)
### [PassportForWork CSP](passportforwork-csp.md)
#### [PassportForWork DDF file](passportforwork-ddf.md)
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy DDF file](policy-ddf-file.md)
#### [ApplicationRestrictions XSD](applicationrestrictions-xsd.md)
### [PolicyManager CSP](policymanager-csp.md)
### [Provisioning CSP](provisioning-csp.md)
### [PROXY CSP](proxy-csp.md)
### [PXLOGICAL CSP](pxlogical-csp.md)
### [Reboot CSP](reboot-csp.md)
#### [Reboot DDF file](reboot-ddf-file.md)
### [Registry CSP](registry-csp.md)
#### [Registry DDF file](registry-ddf-file.md)
### [RemoteFind CSP](remotefind-csp.md)
#### [RemoteFind DDF file](remotefind-ddf-file.md)
### [RemoteLock CSP](remotelock-csp.md)
#### [RemoteLock DDF file](remotelock-ddf-file.md)
### [RemoteRing CSP](remotering-csp.md)
#### [RemoteRing DDF file](remotering-ddf-file.md)
### [RemoteWipe CSP](remotewipe-csp.md)
#### [RemoteWipe DDF file](remotewipe-ddf-file.md)
### [Reporting CSP](reporting-csp.md)
#### [Reporting DDF file](reporting-ddf-file.md)
### [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
#### [RootCATrustedCertificates DDF file](rootcacertificates-ddf-file.md)
### [SecureAssessment CSP](secureassessment-csp.md)
#### [SecureAssessment DDF file](secureassessment-ddf-file.md)
### [SecurityPolicy CSP](securitypolicy-csp.md)
### [SharedPC CSP](sharedpc-csp.md)
#### [SharedPC DDF file](sharedpc-ddf-file.md)
### [Storage CSP](storage-csp.md)
#### [Storage DDF file](storage-ddf-file.md)
### [SUPL CSP](supl-csp.md)
#### [SUPL DDF file](supl-ddf-file.md)
### [SurfaceHub CSP](surfacehub-csp.md)
#### [SurfaceHub DDF file](surfacehub-ddf-file.md)
### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
### [Update CSP](update-csp.md)
#### [Update DDF file](update-ddf-file.md)
### [VPN CSP](vpn-csp.md)
#### [VPN DDF file](vpn-ddf-file.md)
### [VPNv2 CSP](vpnv2-csp.md)
#### [VPNv2 DDF file](vpnv2-ddf-file.md)
#### [ProfileXML XSD](vpnv2-profile-xsd.md)
#### [EAP configuration](eap-configuration.md)
### [w4 APPLICATION CSP](w4-application-csp.md)
### [w7 APPLICATION CSP](w7-application-csp.md)
### [WiFi CSP](wifi-csp.md)
#### [WiFi DDF file](wifi-ddf-file.md)
### [Win32AppInventory CSP](win32appinventory-csp.md)
#### [Win32AppInventory DDF file](win32appinventory-ddf-file.md)
### [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
#### [WindowsAdvancedThreatProtection DDF file](windowsadvancedthreatprotection-ddf.md)
### [WindowsLicensing CSP](windowslicensing-csp.md)
#### [WindowsLicensing DDF file](windowslicensing-ddf-file.md)
### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
#### [WindowsSecurityAuditing DDF file](windowssecurityauditing-ddf-file.md)

268
windows/client-management/mdm/activesync-csp.md Normal file
View File

@ -0,0 +1,268 @@
---
title: ActiveSync CSP
description: ActiveSync CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# ActiveSync CSP
The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported.
> **Note**  
The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
 
The following diagram shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
![activesync csp (cp)](images/provisioning-csp-activesync-cp.png)
<a href="" id="--user-vendor-msft-activesync"></a>**./User/Vendor/MSFT/ActiveSync**
The root node for the ActiveSync configuration service provider.
> **Note**  
The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
 
The supported operation is Get.
<a href="" id="accounts"></a>**Accounts**
The root node for all ActiveSync accounts.
The supported operation is Get.
<a href="" id="account-guid"></a>***Account GUID***
Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device.
Supported operations are Get, Add, and Delete.
When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account.
Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example:
``` syntax
<characteristic type="{C556E16F-56C4-4EDB-9C64-D9469EE1FBE0}"/>
```
For OMA DM, you must use the ASCII values of %7B and %7D for the opening and closing braces, respectively. For example, if the GUID is "C556E16F-56C4-4EDB-9C64-D9469EE1FBE0", type:
``` syntax
<Target>
<LocURI>
./Vendor/MSFT/ActiveSync/Accounts/%7BC556E16F-56C4-4EDB-9C64-D9469EE1FBE0%7D
</LocURI>
</Target>
```
<a href="" id="account-guid-emailaddress"></a>***Account GUID*/EmailAddress**
Required. A character string that specifies the email address associated with the Exchange ActiveSync account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com".
<a href="" id="account-guid-domain"></a>***Account GUID*/Domain**
Optional for Exchange. Specifies the domain name of the Exchange server.
Supported operations are Get, Replace, Add, and Delete.
<a href="" id="account-guid-accounticon"></a>***Account GUID*/AccountIcon**
Required. A character string that specifies the location of the icon associated with the account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings &gt; email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
<a href="" id="account-guid-accounttype"></a>***Account GUID*/AccountType**
Required. A character string that specifies the account type.
Supported operations are Get and Add (cannot Add after the account is created).
This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange".
<a href="" id="account-guid-accountname"></a>***Account GUID*/AccountName**
Required. A character string that specifies the name that refers to the account on the device.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
<a href="" id="account-guid-password"></a>***Account GUID*/Password**
Required. A character string that specifies the password for the account.
Supported operations are Get, Replace, Add, and Delete.
For the Get command, only asterisks are returned.
<a href="" id="account-guid-servername"></a>***Account GUID*/ServerName**
Required. A character string that specifies the server name used by the account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
<a href="" id="account-guid-username"></a>***Account GUID*/UserName**
Required. A character string that specifies the user name for the account.
Supported operations are Get, and Add (cannot Add after the account is created).
The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
<a href="" id="options"></a>**Options**
Node for other parameters.
<a href="" id="options-calendaragefilter"></a>**Options/CalendarAgeFilter**
Specifies the time window used for syncing calendar items to the device. Value type is chr.
<a href="" id="options-logging"></a>**Options/Logging**
Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled).
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Valid values are one of the following:
- 0 (default) - Logging is off.
- 1 - Basic logging is enabled.
- 2 - Advanced logging is enabled.
Logging is set to off by default. The user might be asked to set this to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.
<a href="" id="options-mailbodytype"></a>**Options/MailBodyType**
Indicates the email format. Valid values:
- 0 - none
- 1 - text
- 2 - HTML
- 3 - RTF
- 4 - MIME
<a href="" id="options-mailhtmltruncation"></a>**Options/MailHTMLTruncation**
Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.
<a href="" id="options-mailplaintexttruncation"></a>**Options/MailPlainTextTruncation**
This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
<a href="" id="options-usessl"></a>**Options/UseSSL**
Optional. A character string that specifies whether SSL is used.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Valid values are:
- 0 - SSL is not used.
- 1 (default) - SSL is used.
<a href="" id="options-schedule"></a>**Options/Schedule**
Required. A character string that specifies the time until the next sync is performed, in minutes. The default value is -1.
Supported operations are Get and Replace.
Valid values are one of the following:
- -1 (default) - A sync will occur as items are received
- 0 - All syncs must be performed manually
- 15 - Sync every 15 minutes
- 30 - Sync every 30 minutes
- 60 - Sync every 60 minutes
<a href="" id="options-mailagefilter"></a>**Options/MailAgeFilter**
Required. A character string that specifies the time window used for syncing email items to the device. The default value is 3.
Supported operations are Get and Replace.
Valid values are one of the following:
- 0 No age filter is used, and all email items are synced to the device.
- 2 Only email up to three days old is synced to the device.
- 3 (default) Email up to a week old is synced to the device.
- 4 Email up to two weeks old is synced to the device.
- 5 Email up to a month old is synced to the device.
<a href="" id="options-contenttypes-content-type-guid"></a>**Options/ContentTypes/****_Content Type GUID_**
Defines the type of content to be individually enabled/disabled for sync.
The *GUID* values allowed are one of the following:
- Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}"
- Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}"
- Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}"
- Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}"
<a href="" id="options-contenttypes-content-type-guid-enabled"></a>**Options/ContentTypes/*Content Type GUID*/Enabled**
Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled).
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Valid values are one of the following:
- 0 - Sync for email, contacts, calendar, or tasks is disabled.
- 1 (default) - Sync is enabled.
<a href="" id="options-contenttypes-content-type-guid-name"></a>**Options/ContentTypes/*Content Type GUID*/Name**
Required. A character string that specifies the name of the content type.
> **Note**  In Windows 10, this node is currently not working.
 
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
<a href="" id="policies"></a>**Policies**
Node for mail body type and email age filter.
<a href="" id="policies-mailbodytype"></a>**Policies/MailBodyType**
Required. Specifies the email body type: HTML or plain.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="policies-maxmailagefilter"></a>**Policies/MaxMailAgeFilter**
Required. Specifies the time window used for syncing mail items to the device.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

696
windows/client-management/mdm/activesync-ddf-file.md Normal file
View File

@ -0,0 +1,696 @@
---
title: ActiveSync DDF file
description: ActiveSync DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# ActiveSync DDF file
This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[
<?oma-dm-ddf-ver supported-versions="1.2"?>
]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>ActiveSync</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The root node for ActiveSync configuration.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/ActiveSync</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Accounts</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The parent node group all active sync accounts.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Account GUID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EmailAddress</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The email address the user entered during setup. This is the email address that is associated with the Exchange ActiveSync account and it is required.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Domain</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Domain name of the Exchange server</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AccountIcon</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specify the location of the icon associated with the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AccountType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specify the account type.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AccountName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The name that refers to the account on the phone.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Password</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>A character string that specifies the password for the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ServerName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the server name used by the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UserName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the user name for the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Options</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies whether email, contacts, and calendar need to synchronize by default, and sets preference such as sync schedule, truncation sizes, and logging.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CalendarAgeFilter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time window used for syncing calendar items to the phone.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Logging</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies whether diagnostic logging is enabled and at what level.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailBodyType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Indicates format type of the Email. Supported values are 0 (none), 1 (text), 2 (HTML), 3 (RTF), and 4 (MIME).</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailHTMLTruncation</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailPlainTextTruncation</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Schedule</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time until the next sync is performed in minutes.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UseSSL</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies whether SSL is used.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailAgeFilter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time window used for syncing email items to the phone.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ContentTypes</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<OneOrN>1</OneOrN>
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Content Type GUID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Enables or disables Sync for Email, contacts, calendar, and Tasks.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The name of the content type.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Policies</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the mail body type and email age filter.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MailBodyType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the email body type. HTML or plain</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxMailAgeFilter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time window used for syncing mail items to the device.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[ActiveSync configuration service provider](activesync-csp.md)
 
 

100
windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Add an Azure AD tenant and Azure AD subscription
description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 36D94BEC-A6D8-47D2-A547-EBD7B7D163FA
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Add an Azure AD tenant and Azure AD subscription
Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription)
1. Sign-up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
![sign up for azure ad tenant](images/azure-ad-add-tenant1.png)
2. Enter the information for your organization. Click **check availability** to verify that domain name that you selected is available.
![sign up for azure ad](images/azure-ad-add-tenant2.png)
3. Complete the login and country information. You must provide a valid phone number, then click **Send text message** or **Call me**.
![create azure account](images/azure-ad-add-tenant3.png)
4. Enter the code that you receive and then click **Verify code**. After the code is verified and the continue button turns green, click **continue**.
![add aad tenant](images/azure-ad-add-tenant3-b.png)
5. After you finish creating your Azure account, you are ready to add an Azure AD subscription.
If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to Office 356 portal, <https://portal.office.com/> and then sign in using the admin account that you just created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
![login to office 365](images/azure-ad-add-tenant4.png)
6. Click **Install software**.
![login to office 365](images/azure-ad-add-tenant5.png)
7. In the Office 365 portal, select **Purchase Services** from the left nagivation.
![purchase service option in admin center menu](images/azure-ad-add-tenant6.png)
8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then click to purchase.
![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png)
9. Continue with your purchase.
![azure active directory premium payment page](images/azure-ad-add-tenant8.png)
10. After the purchase is completed, you can login to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc...).
![admin center left navigation menu](images/azure-ad-add-tenant9.png)
When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
## Register your free Azure Active Directory subscription
If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription.
1. Sign in to the Office 365 portal at <https://portal.office.com> using your organization's account.
![register azuread](images/azure-ad-add-tenant10.png)
2. On the **Home** page, click on the Admin tools icon.
![register azuread](images/azure-ad-add-tenant11.png)
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
![register azuread](images/azure-ad-add-tenant12.png)
4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
![register azuread](images/azure-ad-add-tenant13.png)
5. It may take a few minutes to process the request.
![register azuread](images/azure-ad-add-tenant14.png)
6. You will see a welcome page when the process completes.
![register azuread](images/azure-ad-add-tenant15.png)
 

150
windows/client-management/mdm/alljoynmanagement-csp.md Normal file
View File

@ -0,0 +1,150 @@
---
title: AllJoynManagement CSP
description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 468E0EE5-EED3-48FF-91C0-89F9D159AA8C
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AllJoynManagement CSP
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
> **Note**  
The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
 
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](http://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](http://go.microsoft.com/fwlink/p/?LinkId=615877).
The following diagram shows the AllJoynManagement configuration service provider in tree format
![alljoynmanagement csp diagram](images/provisioning-csp-alljoynmanagement.png)
The following list describes the characteristics and parameters.
<a href="" id="--vendor-msft-alljoynmanagement"></a>**./Vendor/MSFT/AllJoynManagement**
The root node for the AllJoynManagement configuration service provider.
<a href="" id="services"></a>**Services**
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included.
<a href="" id="services-node-name"></a>**Services/****_Node name_**
The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
<a href="" id="services-node-name-port"></a>**Services/*Node name*/Port**
The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports.
<a href="" id="services-node-name-port-node-name"></a>**Services/*Node name*/Port/****_Node name_**
Port number used for communication. This is specified by the configurable AllJoyn object and reflected here.
<a href="" id="services-node-name-port-node-name-cfgobject"></a>**Services/*Node name*/Port/*Node name*/CfgObject**
The set of configurable interfaces that are available on the port of the AllJoyn object.
<a href="" id="services-node-name-port-node-name-cfgobject-node-name"></a>**Services/*Node name*/Port/*Node name*/CfgObject/****_Node name_**
The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig.
<a href="" id="credentials"></a>**Credentials**
This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node.
When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase.
<a href="" id="credentials-node-name"></a>**Credentials/****_Node name_**
This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID.
<a href="" id="credentials-node-name-key"></a>**Credentials/*Node name*/Key**
An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard.
<a href="" id="firewall"></a>**Firewall**
Firewall setting for the AllJoyn service.
<a href="" id="firewall-publicprofile"></a>**Firewall/PublicProfile**
Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for public network profile.
<a href="" id="firewall-privateprofile"></a>**Firewall/PrivateProfile**
Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for private network profile.
## Examples
Set adapter configuration
``` syntax
<?xml version="1.0" encoding="utf-8"?>
SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AllJoynManagement/Services/_ALLJOYN_DEVICE_ID_/Port/27/Configuration/%2FDSBService%2FAdapterConfig</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
</Meta> <Data>PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgA/AD4ADQAKADwAQgBhAGMATgBlAHQAQwBmAGcAPgANAAoACQA8AEIAQgBNAEQAUwBlAHIAdgBlAHIAPgANAAoACQAJADwASQBQAEEAZABkAHIAZQBzAHMAPgAxADIANwAuADAALgAwAC4AMQA8AC8ASQBQAEEAZABkAHIAZQBzAHMAPgANAAoACQAJADwAUABvAHIAdAA+ADQANwA4ADAAOAA8AC8AUABvAHIAdAA+AA0ACgAJADwALwBCAEIATQBEAFMAZQByAHYAZQByAD4ADQAKADwALwBCAGEAYwBOAGUAdABDAGYAZwA+AA0ACgAAAA==</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting.
Get PIN data
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AllJoynManagement/Credentials?list=StructData</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Get the firewall PrivateProfile
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AllJoynManagement/Firewall/PrivateProfile</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
 
 

342
windows/client-management/mdm/alljoynmanagement-ddf.md Normal file
View File

@ -0,0 +1,342 @@
---
title: AllJoynManagement DDF
description: AllJoynManagement DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AllJoynManagement DDF
This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511.
You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AllJoynManagement</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Services</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This is the list of AllJoyn Objects that are discovered on the AllJoyn bus. Only AllJoyn Objects that expose the "com.microsoft.alljoynmanagement.config" will be shown here.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The Unique AllJoyn About Device ID, a GUID, that Hosts one or more configurable objects
.
</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ServiceID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Port</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The set of Ports that this AllJoyn Object uses to communicate configuration settings through.
Typically, only one port is used for communication, but it is possible that additional ports may be specified.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The AllJoyn Port Number to communicate on. This is specified by the Configurable AllJoyn Object and is reflected here.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PortNum</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CfgObject</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The set of configurable interfaces that are available on the Port of the AllJoyn Object</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The remainder of this URI is an escaped path to the Configurable AllJoyn Object Hosted by the parent ServiceID and Accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn Configuration Interface "\ASBService\BridgeConfig" would be specified in the URI as: %2FASBService%2FBridgeConfig
</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<OneOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>CfgObjectPath</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Credentials</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This is the Credential Store. An Administrator can set credentials for each AllJoyn device that requires authentication at this node.
If a SYNCML request arrives in the CSP to replace or query a configuration item on an AllJoyn Object that requires authentication, then the CSP will use the Credentials stored here during the authentication phase.
</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This is the same ServiceID as specified in the \AllJoynManagement\Services\ServiceID URI.
It is typically implemented as a GUID.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ServiceID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Key</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Firewall</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Firewall setting for the AllJoyn service (AJRouter.dll).</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>PublicProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for Public network profile.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PrivateProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for Private network profile.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[AllJoynManagement configuration service provider](alljoynmanagement-csp.md)
 
 

43
windows/client-management/mdm/application-csp.md Normal file
View File

@ -0,0 +1,43 @@
---
title: APPLICATION configuration service provider
description: APPLICATION configuration service provider
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# APPLICATION configuration service provider
The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports.
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
For the device to decode correctly, provisioning XML that contains the APPLICATION characteristic must support OMA Client Provisioning version 1.1.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

129
windows/client-management/mdm/applicationrestrictions-xsd.md Normal file
View File

@ -0,0 +1,129 @@
---
title: ApplicationRestrictions XSD
description: Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: A5AA2B59-3736-473E-8F70-A90FD61EE426
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# ApplicationRestrictions XSD
Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="AppPolicy_xsd"
attributeFormDefault="unqualified"
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://schemas.microsoft.com/phone/2013/policy"
xmlns="http://schemas.microsoft.com/phone/2013/policy"
xmlns:m="http://schemas.microsoft.com/phone/2013/policy"
>
<!-- Non-empty string must have a non-whitespace character at the beginning and end -->
<xs:simpleType name="ST_NonEmptyString">
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:maxLength value="32767"/>
<xs:pattern value="[^\s]|([^\s].*[^\s])"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ST_Publisher">
<xs:restriction base="xs:string">
<xs:maxLength value="256"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="CT_LowerCaseGuid">
<xs:annotation>
<xs:documentation>GUID must use lowercase letters</xs:documentation>
</xs:annotation>
<xs:restriction base="ST_NonEmptyString">
<xs:pattern value="\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="CT_Application">
<xs:attribute name="ProductId" type="CT_LowerCaseGuid" />
</xs:complexType>
<xs:complexType name="CT_ApplicationWithPublisher">
<xs:attribute name="ProductId" type="CT_LowerCaseGuid" />
<xs:attribute name="PublisherName" type="ST_Publisher" use="optional" />
</xs:complexType>
<xs:complexType name="CT_AllowedPublisher">
<xs:sequence>
<xs:element name="DenyApp" type="CT_Application" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="PublisherName" type="ST_Publisher" use="required" />
</xs:complexType>
<xs:complexType name="CT_DeniedPublisher">
<xs:sequence>
<xs:element name="AllowApp" type="CT_Application" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="PublisherName" type="ST_Publisher" use="required" />
</xs:complexType>
<xs:element name="Deny">
<xs:complexType>
<xs:sequence>
<xs:element name="App" type="CT_Application" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Publisher" type="CT_DeniedPublisher" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Allow">
<xs:complexType>
<xs:sequence>
<xs:element name="App" type="CT_ApplicationWithPublisher" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Publisher" type="CT_AllowedPublisher" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AppPolicy">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="1">
<xs:element ref="Deny" />
<xs:element ref="Allow" />
</xs:choice>
<xs:attribute name="Version" use="required" type="xs:unsignedLong" />
</xs:complexType>
<!-- Uniqueness Checks -->
<xs:unique name="NoDuplicateProductIDs">
<xs:selector xpath=".//*"/>
<xs:field xpath="@ProductId"/>
</xs:unique>
<!-- Uniqueness Checks -->
<xs:unique name="NoDuplicatePublisherNames">
<xs:selector xpath=".//*"/>
<xs:field xpath="@PublisherName"/>
</xs:unique>
</xs:element>
</xs:schema>
```
 
 

1413
windows/client-management/mdm/applocker-csp.md Normal file
View File

File diff suppressed because it is too large Load Diff

686
windows/client-management/mdm/applocker-ddf-file.md Normal file
View File

@ -0,0 +1,686 @@
---
title: AppLocker DDF file
description: AppLocker DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AppLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AppLocker</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ApplicationLaunchRestrictions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Grouping</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EXE</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NonInteractiveProcessEnforcement</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MSI</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Script</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>StoreApps</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>DLL</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NonInteractiveProcessEnforcement</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CodeIntegrity</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>EnterpriseDataProtection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Grouping</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EXE</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>StoreApps</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[AppLocker configuration service provider](applocker-csp.md)
 
 

1294
windows/client-management/mdm/applocker-xsd.md Normal file
View File

File diff suppressed because it is too large Load Diff

456
windows/client-management/mdm/appv-deploy-and-config.md Normal file
View File

@ -0,0 +1,456 @@
---
title: Deploy and configure App-V apps using MDM
description: Deploy and configure App-V apps using MDM
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Deploy and configure App-V apps using MDM
## Executive summary
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premise group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premise counterparts.</p>
<p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
### EnterpriseAppVManagement CSP node structure
[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp)
![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png)
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>
<p><b>AppVPublishing</b> - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- **AppVPublishing**
- LastSync
- LastError
- LastErrorDescription
- SyncStatusDescription
- SyncProgress
- Sync
- PublishXML
- AppVDynamicPolicy
<p>Sync command:</p>
[App-V Sync protocol reference]( https://msdn.microsoft.com/enus/library/mt739986.aspx)
<p><b>AppVDynamicPolicy</b> - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- AppVPublishing
- **AppVDynamicPolicy**
- [ConfigurationId]
- Policy
<p>Dynamic policy examples:</p>
[Dynamic configuration processing](https://technet.microsoft.com/en-us/itpro/windows/manage/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing)
<p><b>AppVPackageManagement</b> - Primarily read-only App-V package inventory data for MDM servers to query current packages.</p>
- EnterpriseAppVManagement
- **AppVPackageManagement**
- [EnterpriseID]
- [PackageFamilyName]
- [PackageFullName]
- Name
- Version
- Publisher
- InstallLocation
- InstallDate
- Users
- AppVPackageID
- AppVVersionId
- AppVPackageUri
- AppVPublishing
- AppVDynamicPolicy
<p>The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.</p>
## Scenarios addressed in App-V MDM functionality
<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premise App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
<p>A complete list of App-V policies can be found here:</p>
[ADMX-backed policy reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed)
[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp)
### SyncML examples
<p>The following SyncML examples address specific App-V client scenarios.</p>
#### Enable App-V client
<p>This example shows how to enable App-V on the device.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient</LocURI>
</Target>
<Data>&lt;enabled/&gt;</Data>
</Item>
</Replace>
```
#### Configure App-V client
<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts assists in package deployments (add and publish of App-V apps).</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI>
</Target>
<Data>&lt;enabled/&gt;</Data>
</Item>
</Replace>
```
<p>Complete list of App-V policies can be found here:</p>
[Policy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider)
#### SyncML with package published for a device (global to all users for that device)
<p>This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device)
<p>This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy</ LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<DeploymentConfiguration PackageId="57650ac1-1731-4b4c-899ca25548374dab" DisplayName="Skype_RS2Win10_X64" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
<MachineConfiguration></MachineConfiguration>
<UserConfiguration>
<Subsystems>
<Shortcuts Enabled="true">
<Extensions>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{ThisPCDesktopFolder}]\Skype_FromMDM.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{Common Desktop}]\Skype_FromMDMAlso.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
</Extensions>
</Shortcuts>
</Subsystems>
</UserConfiguration>
</DeploymentConfiguration>
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab">
<DeploymentConfiguration ConfigurationId="38" Path="38" Timestamp="2012-08-27T16:14:30.87" /></Package>
</Packages>
<NoGroup>
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (using user config deployment) published for a specific user
<p>This SyncML example shows how to publish a package for a specific MDM user.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
</Packages>
<NoGroup>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### SyncML for publishing mixed-mode connection group containing global and user-published packages
<p>This SyncML example shows how to publish a connection group, and group applications and plugins together.</p>
> [!NOTE]
> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group.
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab"></Package>
</Packages>
</Publishing>
</Data>
</Item>
</Exec>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"></Package>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
<Groups>
<Group GroupId="98d5cebd-165f-403b-a426-7a1f6ae9c399" VersionId="AE76602B-5613-4BAD-9EE5-1728FA55B699" Priority="46" Name="Try7">
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" VersionOptional="false" PackageOptional="false"/>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4" VersionOptional="true" PackageOptional="true"/>
</Group>
</Groups>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Unpublish example SyncML for all global packages
<p>This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages></Packages>
<NoGroup></NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Query packages on a device
<p>These SyncML examples return all global, and user-published packages on the device.</p>
``` syntax
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
``` syntax
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```

138
windows/client-management/mdm/assign-seats.md Normal file
View File

@ -0,0 +1,138 @@
---
title: Assign seat
description: The Assign seat operation assigns seat for a specified user in the Windows Store for Business.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Assign seat
The **Assign seat** operation assigns seat for a specified user in the Windows Store for Business.
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>POST</p></td>
<td><p>https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}</p></td>
</tr>
</tbody>
</table>
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>username</p></td>
<td><p>string</p></td>
<td><p>Requires UserPrincipalName (UPN). User name of the target user account.</p></td>
</tr>
</tbody>
</table>
## Response
### Response body
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
<th>Details</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>400</p></td>
<td><p>Invalid parameters</p></td>
<td><p>No</p></td>
<td><p>Parameter name</p>
<p>Reason: Invalid parameter</p>
<p>Details: String</p></td>
<td><p>Invalid can include productId, skuId or userName</p></td>
</tr>
<tr class="even">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td><p>Item type: Inventory, User, Seat</p>
<p>Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName</p></td>
<td><p>ItemType: Inventory User Seat</p>
<p>Values: ProductId/SkuId UserName ProductId/SkuId/UserName</p></td>
</tr>
<tr class="odd">
<td><p>409</p></td>
<td><p>Conflict</p></td>
<td></td>
<td><p>Reason: Not online</p></td>
<td></td>
</tr>
</tbody>
</table>
 
 

144
windows/client-management/mdm/assignedaccess-csp.md Normal file
View File

@ -0,0 +1,144 @@
---
title: AssignedAccess CSP
description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 421CC07D-6000-48D9-B6A3-C638AAF83984
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AssignedAccess CSP
The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
> **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
 
The following diagram shows the AssignedAccess configuration service provider in tree format
![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png)
<a href="" id="--vendor-msft-assignedaccess"></a>**./Vendor/MSFT/AssignedAccess**
Root node for the CSP.
<a href="" id="assignedaccess-kioskmodeapp"></a>**AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
Here's an example:
``` syntax
{"Account":"redmond\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
```
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
> **Note**  The domain name can be optional if the user name is unique across the system.
 
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
## Examples
KioskModeApp Add
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
KioskModeApp Delete
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
</Item>
</Delete>
<Final />
</SyncBody>
</SyncML>
```
KioskModeApp Get
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
KioskModeApp Replace
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"}</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
 
 

104
windows/client-management/mdm/assignedaccess-ddf.md Normal file
View File

@ -0,0 +1,104 @@
---
title: AssignedAccess DDF
description: AssignedAccess DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# AssignedAccess DDF
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AssignedAccess</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>KioskModeApp</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node can accept and return json string which comprises of account name and AUMID for Kiosk mode app.
Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. </Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[AssignedAccess configuration service provider](assignedaccess-csp.md)
 
 

928
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md Normal file
View File

@ -0,0 +1,928 @@
---
title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world largest enterprise cloud identity management service.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: D03B0765-5B5F-4C7B-9E2B-18E747D504EE
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
<head>
<style type='text/css'> table.topalign td { vertical-align: top } </style>
</head>
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a devices compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved.
## Connect to Azure AD
Several ways to connect your devices:
For company-owned devices:
- Join Windows to a traditional Active Directory domain
- Join Windows to Azure AD
For personal devices (BYOD):
- Add a Microsoft work account to Windows
### Azure AD Join
Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as System Center Configuration Manager. In Windows 10, its also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy corporate owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD.
> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license.
 
### BYOD scenario
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. Its important to note that in the BYOD case, users can reject the MDM Terms of Use—in which case the device is not enrolled in MDM and access to corporate resources is typically restricted.
## Integrated MDM enrollment and UX
Two Azure AD MDM enrollment scenarios:
- Joining a device to Azure AD for company-owned devices
- Adding a work account to a personal device (BYOD)
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used fo MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](http://go.microsoft.com/fwlink/?LinkId=690246).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** &gt; **Accounts** &gt; **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
 
### MDM endpoints involved in Azure AD integrated enrollment
Azure AD MDM enrollment is a two-step process:
1. Display the Terms of Use and gather user consent.
This is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
2. Enroll the device.
This is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint.
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
Its important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies).
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
After the users accepts the Terms of Use, the device is registered in Azure AD and the automatic MDM enrollment begins.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). A sample for reporting device compliance is provided later in this topic.
## Make the MDM a reliable party of Azure AD
To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654).
### Add a cloud-based MDM
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It is a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613661).
> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
 
The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs.
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
1. Login to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, click on the **Active Directory**.
3. Click the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
4. Click the **Applications** tab.
5. In the drawer, click **Add**.
6. Click **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://&lt;your\_tenant\_name&gt;/ContosoMDM**, then click OK.
10. While still in the Azure portal, click the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667)
### Add an on-premises MDM
An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use.
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](http://go.microsoft.com/fwlink/p/?LinkId=613671).
### Key management and security guidelines
The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Azure AD Graph API are bearer tokens and should be protected to avoid unauthorized disclosure.
For security best practices, see [Windows Azure Security Essentials](http://go.microsoft.com/fwlink/p/?LinkId=613715).
You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There is a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
For the on-premises MDM, the keys used to authenticate with Azure AD are within the tenant of the customer and must be rolled over by the customer's administrator. In this case, you should provide guidance to the customers about rolling over and protecting the keys to improved security.
## Publish your MDM app to Azure AD app gallery
IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software.
![azure ad add an app for mdm](images/azure-ad-app-gallery.png)
### Add cloud-based MDM to the app gallery
You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p><strong>Application ID</strong></p></td>
<td style="vertical-align:top"><p>The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p><strong>Publisher</strong></p></td>
<td style="vertical-align:top"><p>A string that identifies the publisher of the app.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p><strong>Application URL</strong></p></td>
<td style="vertical-align:top"><p>A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p><strong>Description</strong></p></td>
<td style="vertical-align:top"><p>A brief description of your MDM app, which must be under 255 characters.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p><strong>Icons</strong></p></td>
<td style="vertical-align:top"><p>A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215</p></td>
</tr>
</tbody>
</table>
 
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery.There is a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance.
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
There are 3 distinct scenarios:
1. MDM enrollment as part of Azure AD Join in Windows OOBE.
2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
### Using themes
An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>CXH-HOST (HTTP HEADER)</th>
<th>Senario</th>
<th>Background Theme</th>
<th>WinJS</th>
<th>Scenario CSS</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">FRX</td>
<td style="vertical-align:top">OOBE</td>
<td style="vertical-align:top">Dark theme + blue background color</td>
<td style="vertical-align:top">Filename: Ui-dark.css</td>
<td style="vertical-align:top">Filename: oobe-dekstop.css</td>
</tr>
<tr class="even">
<td style="vertical-align:top">MOSET</td>
<td style="vertical-align:top">Settings/
<p>Post OOBE</p></td>
<td style="vertical-align:top">Light theme</td>
<td style="vertical-align:top">Filename: Ui-light.css</td>
<td style="vertical-align:top">Filename: settings-desktop.css</td>
</tr>
</tbody>
</table>
 
## Terms of Use protocol semantics
The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows performs a full-page redirect to this endpoint. This enables the MDM to display the terms and conditions that apply and allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
### Redirect to the Terms of Use endpoint
This is a full page redirect to the Terms of User endpoint hosted by the MDM. Here is an example URL, https:<span></span>//fabrikam.contosomdm.com/TermsOfUse.
The following parameters are passed in the query string:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>redirect_uri</p></td>
<td style="vertical-align:top"><p>After the user accepts or rejects the Terms of Use, the user is redirected to this URL.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>client-request-id</p></td>
<td style="vertical-align:top"><p>A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>api-version</p></td>
<td style="vertical-align:top"><p>Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>mode</p></td>
<td style="vertical-align:top"><p>Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.</p></td>
</tr>
</tbody>
</table>
 
### Access token
A bearer access token is issued by Azure AD is passed in the authorization header of the HTTP request. Here is a typical format:
**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw…
The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>Object ID</p></td>
<td style="vertical-align:top"><p>Identifier of the user object corresponding to the authenticated user.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>UPN</p></td>
<td style="vertical-align:top"><p>A claim containing the user principal name (UPN) of the authenticated user.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>TID</p></td>
<td style="vertical-align:top"><p>A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Resource</p></td>
<td style="vertical-align:top"><p>A sanitized URL representing the MDM application. Example, https:<span></span>//fabrikam.contosomdm.com.</p></td>
</tr>
</tbody>
</table>
 
> **Note**  There is no device ID claim in the access token because the device may not yet be enrolled at this time.
 
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654).
Here's an example URL.
``` syntax
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
The MDM is expected to validate the signature of the access token to ensure it was issued by Azure AD and ensure that recipient is appropriate.
### Terms of Use content
The MDM may perform other additional redirects as necessary before displaying the Terms of Use content to the user. The appropriate Terms of Use content should be returned to the caller (Windows) so it can be displayed to the end user in the browser control.
The Terms of Use content should contain the following buttons:
- **Accept** - the user accepts the Terms of Use and proceeds with enrollment.
- **Decline** - the user declines and stops the enrollment process.
The Terms of Use content must be consistent with the theme used for the other pages rendered during this process.
### Terms of Use endpoint processing logic
At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page:
- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here is an example redirect - ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true
- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to false. This also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter is not expected to be used because the enrollment is stopped with an error message displayed to the user.
Users skip the Terms of Use when they are adding a Microsoft work account to their device. However, then cannot skip it during the Azure AD Join process. The decline button must not be shown in the Azure AD Join process because MDM enrollment cannot be declined by the user if configured by the administrator for the Azure AD Join.
We recommend that you send the client-request-id parameters in the query string as part of this redirect response.
### Terms Of Use Error handling
If an error was encountered during the terms of use processing, the MDM can return two parameters an error and error\_description parameter in its redirect request back to Windows. Note that the URL should be encoded and the contents of the error\_description should be in English plain text. This text is not visible to the end-user and therefore localization of the error description text is not a concern.
Here is the URL format:
``` syntax
HTTP/1.1 302
Location:
<redirect_uri>?error=access_denied&error_description=Access%20is%20denied%2E
Example:
HTTP/1.1 302
Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E
```
The following table shows the error codes.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Cause</th>
<th>HTTP status</th>
<th>Error</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>api-version</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>invalid_request</p></td>
<td style="vertical-align:top"><p>unsupported version</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Tenant or user data are missingor other required prerequisites for device enrollment are not met</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
<td style="vertical-align:top"><p>unauthorized user or tenant</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Azure AD token validation failed</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>internal service error</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>server_error</p></td>
<td style="vertical-align:top"><p>internal service error</p></td>
</tr>
</tbody>
</table>
 
## Enrollment protocol with Azure AD
With Azure integrated MDM enrollment, there is no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Detail</th>
<th>Traditional MDM enrollment</th>
<th>Azure AD Join (corporate-owned device)</th>
<th>Azure AD add a work account (user-owned device)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>MDM auto-discovery using email address to retrieve MDM discovery URL</p></td>
<td style="vertical-align:top"><p>Enrollment</p></td>
<td style="vertical-align:top"><p>Not applicable</p>
<p>Discovery URL provisioned in Azure</p></td>
<td style="vertical-align:top"><p></p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Uses MDM discovery URL</p></td>
<td style="vertical-align:top"><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
<td style="vertical-align:top"><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
<td style="vertical-align:top"><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Is MDM enrollment required?</p></td>
<td style="vertical-align:top"><p>Yes</p></td>
<td style="vertical-align:top"><p>Yes</p></td>
<td style="vertical-align:top"><p>No</p>
<p>User can decline.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Authentication type</p></td>
<td style="vertical-align:top"><p>OnPremise</p>
<p>Federated</p>
<p>Certificate</p></td>
<td style="vertical-align:top"><p>Federated</p></td>
<td style="vertical-align:top"><p>Federated</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>EnrollmentPolicyServiceURL</p></td>
<td style="vertical-align:top"><p>Optional (all auth)</p></td>
<td style="vertical-align:top"><p>Optional (all auth)</p>
<p></p></td>
<td style="vertical-align:top"><p>Optional (all auth)</p>
<p></p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>EnrollmentServiceURL</p></td>
<td style="vertical-align:top"><p>Required (all auth)</p></td>
<td style="vertical-align:top"><p>Used (all auth)</p></td>
<td style="vertical-align:top"><p>Used (all auth)</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL</p></td>
<td style="vertical-align:top"><p>Highly recommended</p></td>
<td style="vertical-align:top"><p>Highly recommended</p></td>
<td style="vertical-align:top"><p>Highly recommended</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>AuthenticationServiceURL used</p></td>
<td style="vertical-align:top"><p>Used (Federated auth)</p></td>
<td style="vertical-align:top"><p>Skipped</p></td>
<td style="vertical-align:top"><p>Skipped</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>BinarySecurityToken</p></td>
<td style="vertical-align:top"><p>Custom per MDM</p></td>
<td style="vertical-align:top"><p>Azure AD issued token</p></td>
<td style="vertical-align:top"><p>Azure AD issued token</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>EnrollmentType</p></td>
<td style="vertical-align:top"><p>Full</p></td>
<td style="vertical-align:top"><p>Device</p></td>
<td style="vertical-align:top"><p>Full</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Enrolled certificate type</p></td>
<td style="vertical-align:top"><p>User certificate</p></td>
<td style="vertical-align:top"><p>Device certificate</p></td>
<td style="vertical-align:top"><p>User certificate</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Enrolled certificate store</p></td>
<td style="vertical-align:top"><p>My/User</p></td>
<td style="vertical-align:top"><p>My/System</p></td>
<td style="vertical-align:top"><p>My/User</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>CSR subject name</p></td>
<td style="vertical-align:top"><p>User Principal Name</p></td>
<td style="vertical-align:top"><p>Device ID</p></td>
<td style="vertical-align:top"><p>User Principal Name</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL</p></td>
<td style="vertical-align:top"><p>Not supported</p></td>
<td style="vertical-align:top"><p>Supported</p></td>
<td style="vertical-align:top"><p>Supported</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>CSPs accessible during enrollment</p></td>
<td style="vertical-align:top"><p>Windows 10 support:</p>
<ul>
<li>DMClient</li>
<li>CertificateStore</li>
<li>RootCATrustedCertificates</li>
<li>ClientCertificateInstall</li>
<li>EnterpriseModernAppManagement</li>
<li>PassportForWork</li>
<li>Policy</li>
<li>w7 APPLICATION</li>
</ul>
<p>Legacy support:</p>
<ul>
<li>EnterpriseAppManagement (Windows Phone 8.1)</li>
</ul></td>
<td style="vertical-align:top"><p>same as traditional MDM enrollment</p></td>
<td style="vertical-align:top"><p>same as traditional MDM enrollment</p></td>
</tr>
</tbody>
</table>
 
## Management protocol with Azure AD
There are two different MDM enrollment types that take advantage of integration with Azure AD and therefore make use of Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD joined devices**
In this scenario the MDM enrollment applies to every Azure AD user who logs on to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, conclude what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token is not sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user logs on to the machine, Azure AD user token is not available to OMA-DM process. Typically MDM enrollment completes before Azure AD user logs on to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
In this scenario, the MDM enrollment applies to a single user who initially added his work account and enrolled the device. In this enrollment type the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
``` syntax
Authorization:Bearer <Azure AD User Token Inserted here>
```
Additional claims may be present in the Azure AD token, such as:
- User - user currently logged in
- Device compliance - value set the the MDM service into Azure
- Device ID - identifies the device that is checking in
- Tenant ID
Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to initiate the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](http://go.microsoft.com/fwlink/p/?LinkId=613820).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667).
## Device Alert 1224 for Azure AD user token
An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
``` syntax
Alert Type: com.microsoft/MDM/AADUserToken
Alert sample:
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>UserToken inserted here</Data>
</Item>
</Alert>
… other xml tags …
</SyncBody>
```
## Determine when a user is logged in through polling
An alert is send to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
- Alert data - provide login status information for the current active logged in user.
- Logged in user who has an Azure AD account - predefined text: user.
- Logged in user without an Azure AD account- predefined text: others.
- No active user - predefined text:none
Here's an example.
``` syntax
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>user</Data>
</Item>
</Alert>
… other xml tags …
</SyncBody>
```
## Report device compliance to Azure AD
Once a device is enrolled with the MDM for management, corporate policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613822).
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. Use this key to authenticate the MDM service with Azure AD, in order to obtain authorization.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This is because each on-premises instance of your MDM product has a different tenant-specific key. For this purpose, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
### Use Azure AD Graph API
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it.
``` syntax
Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
Authorization: Bearer eyJ0eXAiO………
Accept: application/json
Content-Type: application/json
{ “isManaged”:true,
“isCompliant”:true
}
```
Where:
- **contoso.com** This is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.
Response:
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant cannot be found.
## Data loss during unenrollment from Azure Active Directory Join
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
![aadj unenerollment](images/azure-ad-unenrollment.png)
## Error codes
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Code</th>
<th>ID</th>
<th>Error message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">0x80180001</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180002</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_AUTHENTICATION_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180003</td>
<td style="vertical-align:top">&quot;idErrorAuthorizationFailure&quot;, // MENROLL_E_DEVICE_AUTHORIZATION_ERROR</td>
<td style="vertical-align:top"><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180004</td>
<td style="vertical-align:top">&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</td>
<td style="vertical-align:top"><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180005</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180006</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180007</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180008</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_UNKNOWN_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180009</td>
<td style="vertical-align:top">&quot;idErrorAlreadyInProgress&quot;, // MENROLL_E_ENROLLMENT_IN_PROGRESS</td>
<td style="vertical-align:top"><p>Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x8018000A</td>
<td style="vertical-align:top">&quot;idErrorMDMAlreadyEnrolled&quot;, // MENROLL_E_DEVICE_ALREADY_ENROLLED</td>
<td style="vertical-align:top"><p>This device is already enrolled. You can contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x8018000D</td>
<td style="vertical-align:top">&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID</td>
<td style="vertical-align:top"><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x8018000E</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_PASSWORD_NEEDED</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x8018000F</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_WAB_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180010</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_CONNECTIVITY</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180012</td>
<td style="vertical-align:top">&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_INVALIDSSLCERT</td>
<td style="vertical-align:top"><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180013</td>
<td style="vertical-align:top">&quot;idErrorDeviceLimit&quot;, // MENROLL_E_DEVICECAPREACHED</td>
<td style="vertical-align:top"><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180014</td>
<td style="vertical-align:top">&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_DEVICENOTSUPPORTED</td>
<td style="vertical-align:top"><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180015</td>
<td style="vertical-align:top">&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_NOTSUPPORTED</td>
<td style="vertical-align:top"><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180016</td>
<td style="vertical-align:top">&quot;idErrorMDMRenewalRejected&quot;, // MENROLL_E_NOTELIGIBLETORENEW</td>
<td style="vertical-align:top"><p>The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180017</td>
<td style="vertical-align:top">&quot;idErrorMDMAccountMaintenance&quot;, // MENROLL_E_INMAINTENANCE</td>
<td style="vertical-align:top"><p>The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180018</td>
<td style="vertical-align:top">&quot;idErrorMDMLicenseError&quot;, // MENROLL_E_USERLICENSE</td>
<td style="vertical-align:top"><p>There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180019</td>
<td style="vertical-align:top">&quot;idErrorInvalidServerConfig&quot;, // MENROLL_E_ENROLLMENTDATAINVALID</td>
<td style="vertical-align:top"><p>Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">&quot;rejectedTermsOfUse&quot;</td>
<td style="vertical-align:top">&quot;idErrorRejectedTermsOfUse&quot;</td>
<td style="vertical-align:top"><p>Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0001</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0002</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_AUTHENTICATION_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0003</td>
<td style="vertical-align:top">&quot;idErrorAuthorizationFailure&quot;, // DSREG_E_DEVICE_AUTHORIZATION_ERROR</td>
<td style="vertical-align:top"><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0006</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_INTERNALSERVICE_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c000B</td>
<td style="vertical-align:top">&quot;idErrorUntrustedServer&quot;, // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED</td>
<td style="vertical-align:top">The server being contacted is not trusted. Contact your system administrator with the error code {0}.</td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c000C</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_FAILED</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c000E</td>
<td style="vertical-align:top">&quot;idErrorDeviceLimit&quot;, // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED</td>
<td style="vertical-align:top"><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c000F</td>
<td style="vertical-align:top">&quot;idErrorDeviceRequiresReboot&quot;, // DSREG_E_DEVICE_REQUIRES_REBOOT</td>
<td style="vertical-align:top"><p>A reboot is required to complete device registration.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0010</td>
<td style="vertical-align:top">&quot;idErrorInvalidCertificate&quot;, // DSREG_E_DEVICE_AIK_VALIDATION_ERROR</td>
<td style="vertical-align:top"><p>Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0011</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_ATTESTATION_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0012</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0013</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_TENANTID_NOT_FOUND</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0014</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_USERSID_NOT_FOUND</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
</tbody>
</table>
 
 

685
windows/client-management/mdm/bitlocker-csp.md Normal file
View File

@ -0,0 +1,685 @@
---
title: BitLocker CSP
description: BitLocker CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# BitLocker CSP
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703.
> [!Note]
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
> You must send all the settings together in a single SyncML to be effective.
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
The following diagram shows the BitLocker configuration service provider in tree format.
![bitlocker csp](images/provisioning-csp-bitlocker.png)
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
<p style="margin-left: 20px">Defines the root node for the BitLocker configuration service provider.</p>
<a href="" id="requirestoragecardencryption"></a>**RequireStorageCardEncryption**
<p style="margin-left: 20px">Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.</p>
<p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.</p>
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="requiredeviceencryption"></a>**RequireDeviceEncryption**
<p style="margin-left: 20px">Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.</p>
<p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.</p>
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).</p>
<p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
<p style="margin-left: 20px">If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.</p>
<p style="margin-left: 20px">If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.</p>
<p style="margin-left: 20px"> Sample value for this node to enable this policy and set the encryption methods is:</p>
``` syntax
<enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/>
```
<p style="margin-left: 20px">EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives</p>
<p style="margin-left: 20px">EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.</p>
<p style="margin-left: 20px">EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.</p>
<p style="margin-left: 20px"> The possible values for 'xx' are:</p>
<ul>
<li>3 = AES-CBC 128</li>
<li>4 = AES-CBC 256</li>
<li>6 = XTS-AES 128</li>
<li>7 = XTS-AES 256</li>
</ul>
<p style="margin-left: 20px"> If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).</p>
<p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
> [!Note]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
<p style="margin-left: 20px">If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.</p>
<p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
<p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
> [!Note]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
```
<p style="margin-left: 20px">Data id:</p>
<ul>
<li>ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).</li>
<li>ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.</li>
<li>ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.</li>
<li>ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.</li>
<li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
</ul>
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">The possible values for 'yy' are:</p>
<ul>
<li>2 = Optional</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).</p>
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
<p style="margin-left: 20px">If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.</p>
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="MinPINLength" value="xx"/>
```
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).</p>
<p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
</p>
<p style="margin-left: 20px">If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
<p style="margin-left: 20px">If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.</p>
<p style="margin-left: 20px">If you set the the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>0 = Empty</li>
<li>1 = Use default recovery message and URL.</li>
<li>2 = Custom recovery message is set.</li>
<li>3 = Custom recovery URL is set.</li>
<li>'yy' = string of max length 900.</li>
<li>'zz' = string of max length 500.</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
> [!Note]
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).</p>
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
<p style="margin-left: 20px">The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.</p>
<p style="margin-left: 20px">In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.</p>
<p style="margin-left: 20px">Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.</p>
<p style="margin-left: 20px">Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.</p>
<p style="margin-left: 20px">Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.</p>
> [!Note]
> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
<p style="margin-left: 20px">If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.</p>
<p style="margin-left: 20px">If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
<li></li>
</ul>
<p style="margin-left: 20px">The possible values for 'yy' are:</p>
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">The possible values for 'zz' are:</p>
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
<li></li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).</p>
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
<p style="margin-left: 20px">The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.</p>
<p style="margin-left: 20px">In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.</p>
<p style="margin-left: 20px">Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.</p>
<p style="margin-left: 20px">Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.</p>
<p style="margin-left: 20px">Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.</p>
<p style="margin-left: 20px">Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.</p>
> [!Note]
> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
<p style="margin-left: 20px">If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.</p>
<p style="margin-left: 20px">If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">The possible values for 'yy' are:</p>
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">The possible values for 'zz' are:</p>
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).</p>
<p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
<p style="margin-left: 20px">If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/>
```
<p style="margin-left: 20px">If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).</p>
<p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
<p style="margin-left: 20px">If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.</p>
<p style="margin-left: 20px">If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.</p>
<p style="margin-left: 20px">If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.</p>
> [!Note]
> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="RDVCrossOrg" value="xx"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
### SyncML example
The following example is provided to show proper format and should not be taken as a recommendation.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<!-- Phone only policy -->
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<!-- All of the following policies are only supported on desktop SKU -->
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;4&quot;/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;7&quot;/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;4&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;MinPINLength&quot; value=&quot;6&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;blablablabla&quot;/&gt;
&lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;blablabla&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;RDVCrossOrg&quot; value=&quot;true&quot;/&gt;
</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
<p style="margin-left: 20px">The following list shows the supported values:</p>
- 0 Disables the warning prompt.
- 1 (default) Warning prompt allowed.
<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>110</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/DisableWarningForOtherDiskEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
```

601
windows/client-management/mdm/bitlocker-ddf-file.md Normal file
View File

@ -0,0 +1,601 @@
---
title: BitLocker DDF file
description: BitLocker DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# BitLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>BitLocker</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/BitLocker</MIME>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>RequireStorageCardEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to require storage card encryption on the device.
The format is integer.
This policy is only valid for mobile SKU.
Sample value for this node to enable this policy:
1
Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RequireDeviceEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
The format is integer.
Sample value for this node to enable this policy:
1
Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EncryptionMethodByDriveType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).
If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.”
The format is string.
Sample value for this node to enable this policy and set the encryption methods is:
&lt;enabled/&gt;&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;xx&quot;/&gt;
EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
The possible values for 'xx' are:
3 = AES-CBC 128
4 = AES-CBC 256
6 = XTS-AES 128
7 = XTS-AES 256
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP EncryptionMethodWithXts_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesRequireStartupAuthentication</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.
Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;
ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
All of the below settings are for computers with a TPM.
ConfigureTPMStartupKeyUsageDropDown_Name = Configure TPM startup key.
ConfigurePINUsageDropDown_Name = Configure TPM startup PIN.
ConfigureTPMPINKeyUsageDropDown_Name = Configure TPM startup key and PIN.
ConfigureTPMUsageDropDown_Name = Configure TPM startup.
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
The possible values for 'yy' are:
2 = Optional
1 = Required
0 = Disallowed
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP ConfigureAdvancedStartup_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesMinimumPINLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;MinPINLength&quot; value=&quot;xx&quot;/&gt;
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP MinimumPINLength_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesRecoveryMessage</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
If you set the "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
If you set the "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
If you set the "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;zz&quot;/&gt;
The possible values for 'xx' are:
0 = Empty
1 = Use default recovery message and URL.
2 = Custom recovery message is set.
3 = Custom recovery URL is set.
'yy' = string of max length 900.
'zz' = string of max length 500.
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP PrebootRecoveryInfo_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesRecoveryOptions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Note: If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;zz&quot;/&gt;&lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
The possible values for 'yy' are:
2 = Allowed
1 = Required
0 = Disallowed
The possible values for 'zz' are:
2 = Store recovery passwords only
1 = Store recovery passwords and key packages
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP OSRecoveryUsage_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FixedDrivesRecoveryOptions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
Note: If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" data field is set, a recovery password is automatically generated.
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;zz&quot;/&gt;&lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
The possible values for 'yy' are:
2 = Allowed
1 = Required
0 = Disallowed
The possible values for 'zz' are:
2 = Store recovery passwords only
1 = Store recovery passwords and key packages
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP FDVRecoveryUsage_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FixedDrivesRequireEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP FDVDenyWriteAccess_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RemovableDrivesRequireEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;RDVCrossOrg&quot; value=&quot;xx&quot;/&gt;
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP RDVDenyWriteAccess_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

51
windows/client-management/mdm/bootstrap-csp.md Normal file
View File

@ -0,0 +1,51 @@
---
title: BOOTSTRAP CSP
description: BOOTSTRAP CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# BOOTSTRAP CSP
The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
> **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile.
 
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![bootstrap csp (cp)](images/provisioning-csp-bootstrap-cp.png)
<a href="" id="context-allow"></a>**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
<a href="" id="provurl"></a>**PROVURL**
Required. Specifies the location of a Trusted Provisioning Server (TPS). The PROVURL value must be a complete URL string with a maximum length of 256 characters.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

116
windows/client-management/mdm/browserfavorite-csp.md Normal file
View File

@ -0,0 +1,116 @@
---
title: BrowserFavorite CSP
description: BrowserFavorite CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# BrowserFavorite CSP
The BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
> **Note**  BrowserFavorite CSP is only supported in Windows Phone 8.1.
 
The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application.
 
The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![browserfavorite csp (cp)](images/provisioning-csp-browserfavorite-cp.png)
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " &lt; &gt; |
 
Adding the same favorite twice adds only one occurrence to the Favorites list. If a favorite is added when another favorite with the same name but a different URL is already in the Favorites list, the existing favorite is replaced with the new favorite.
<a href="" id="url"></a>**URL**
Optional. Specifies the complete URL for the favorite.
## OMA client provisioning examples
Adding a new browser favorite.
``` syntax
<?xml version="1.0" encoding="UTF-8" ?>
<wap-provisioningdoc>
<characteristic type="BrowserFavorite">
<characteristic type="Help and how-to">
<parm name="URL" value="http://www.microsoft.com/windowsphone/en-US/howto/wp7/default.aspx"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top-level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

122
windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md Normal file
View File

@ -0,0 +1,122 @@
---
title: Bulk assign and reclaim seats from users
description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Windows Store for Business.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 99E2F37D-1FF3-4511-8969-19571656780A
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Bulk assign and reclaim seats from users
The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Windows Store for Business.
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>POST</p></td>
<td><p>https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats</p></td>
</tr>
</tbody>
</table>
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>username</p></td>
<td><p>string</p></td>
<td><p>Requires UserPrincipalName (UPN). User name of the target user account.</p></td>
</tr>
<tr class="even">
<td><p>seatAction</p></td>
<td><p>[SeatAction](data-structures-windows-store-for-business.md#seataction)</p></td>
<td></td>
</tr>
</tbody>
</table>
 
## Response
### Response body
The response body contains [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset).
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td><p>Item type: Inventory</p>
<p>Values: ProductId/SkuId</p></td>
</tr>
</tbody>
</table>
 
 

172
windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md Normal file
View File

@ -0,0 +1,172 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: DEB98FF3-CC5C-47A1-9277-9EF939716C87
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Bulk enrollment
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
- Set up devices in bulk for large organizations to be managed by MDM.
- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
- Set up school computers.
- Set up industrial machinery.
- Set handheld POS devices.
On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can log in to use it. This is especially useful in getting a large number of desktop ready to use within a domain.
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
> **Note**  
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone enviroment.
> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
 
## What you need
- Windows 10 devices
- Windows Imaging and Configuration Designer (ICD) tool
To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113) and [Getting started with Windows ICD](https://msdn.microsoft.com/library/windows/hardware/dn916112).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
## Create and apply a provisioning package for on-premise authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Click **Advanced Provisioning**.
![icd start page](images/bulk-enrollment7.png)
3. Enter a project name and click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Expand **Runtime settings** &gt; **Workplace**.
7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here is the list of available settings:
- **AuthPolicy** - Select **OnPremise**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
Here is the screenshot of the ICD at this point.
![bulk enrollment screenshot](images/bulk-enrollment.png)
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu click **Export** &gt; **Provisioning package**.
![icd menu for export](images/bulk-enrollment2.png)
12. Enter the values for your package and specify the package output location.
![enter package information](images/bulk-enrollment3.png)
![enter additonal information for package information](images/bulk-enrollment4.png)
![specify file location](images/bulk-enrollment6.png)
13. Click **Build**.
![icb build window](images/bulk-enrollment5.png)
14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
15. Apply the package to your devices.
## Create and apply a provisioning package for certificate authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
2. Enter a **CertificateName** and then click **Add**.
3. Enter the **CertificatePasword**.
4. For **CertificatePath**, browse and select the certificate to be used.
5. Set **ExportCertificate** to False.
6. For **KeyLocation**, select **Software only**.
![icd certificates section](images/bulk-enrollment8.png)
7. Specify the workplace settings.
1. Got to **Workplace** &gt; **Enrollments**.
2. Enter the **UPN** for the enrollment and then click **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here is the list of available settings:
- **AuthPolicy** - Select **Certificate**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - the certificate thumbprint.
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
9. When you are done adding all the settings, on the **File** menu, click **Save**.
10. Export and build the package (steps 10-13 in the procedure above).
11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
12. Apply the package to your devices.
## Apply a provisioning package
Here's the list of topics about applying a provisioning package:
- [Apply a package on the first-run setup screen (out-of-the-box experience)](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
- [Apply a package to a Windows 10 desktop edition image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package to a Windows 10 Mobile image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN.
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
## Apply a package from the Settings menu
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
3. Click **Add a package**.
## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
You should see the your package listed.
## Retry logic in case of a failure
If the provisioning engine receives a failure from a CSP it will retry to provision 3 times in a row.
If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry 4 times at a decaying rate of 15 minutes -&gt; 1 hr -&gt; 4 hr -&gt; "Next System Start". These attempts will be run from a SYSTEM context.
It will also retry to apply the provisioning each time it is launched, if started from somewhere else as well.
In addition, provisioning will be restarted in a SYSTEM context after a login and the system has been idle ([details on idle conditions](https://msdn.microsoft.com/library/windows/desktop/aa383561.aspx)).
## Other provisioning topics
Here are links to step-by-step provisioning topics in Technet.
- [Provision PCs with apps and certificates for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-with-apps-and-certificates)
- [Provision PCs with common settings for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment)
 

71
windows/client-management/mdm/cellularsettings-csp.md Normal file
View File

@ -0,0 +1,71 @@
---
title: CellularSettings CSP
description: CellularSettings CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CellularSettings CSP
The CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![provisioning\-csp\-cellularsettings](images/provisioning-csp-cellularsettings.png)
<a href="" id="dataroam"></a>**DataRoam**
<p style="margin-left: 20px"> Optional. Integer. Specifies the default roaming value. Valid values are:</p>
<table style="margin-left: 20px"><table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Setting</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>0</p></td>
<td><p>Dont roam</p></td>
</tr>
<tr class="even">
<td><p>1</p></td>
<td><p>Dont roam (or Domestic roaming if applicable)</p></td>
</tr>
<tr class="odd">
<td><p>2</p></td>
<td><p>Roam</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

516
windows/client-management/mdm/certificate-authentication-device-enrollment.md Normal file
View File

@ -0,0 +1,516 @@
---
title: Certificate authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 57DB3C9E-E4C9-4275-AAB5-01315F9D3910
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Certificate authentication device enrollment
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
> **Note**  To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
## In this topic
- [Discovery service](#discovery-service)
- [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery Service
The following example shows the discovery service request.
``` syntax
POST /EnrollmentServer/Discovery.svc HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: EnterpriseEnrollment.Contoso.com
Content-Length: xxx
Cache-Control: no-cache
<?xml version="1.0"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
</a:Action>
<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
</a:To>
</s:Header>
<s:Body>
<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
<request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<EmailAddress>user@contoso.com</EmailAddress>
<OSEdition>101</OSEdition> <!--New in Windows 10-->
<OSVersion>10.0.0.0</OSVersion> <!--New in Windows 10-->
<RequestVersion>3.0</RequestVersion> <!--Updated in Windows 10-->
<DeviceType>WindowsPhone</DeviceType> <!--Legacy in Windows 10 for Windows Phone/Handheld-->
<ApplicationVersion>10.0.0.0</ApplicationVersion>
<AuthPolicies>Certificate</AuthPolicies> <!--New in Windows 10-->
</request>
</Discover>
</s:Body>
</s:Envelope>
```
The following example shows the discovery service response.
```
HTTP/1.1 200 OK
Content-Length: 865
Content-Type: application/soap+xml; charset=utf-8
Server: EnterpriseEnrollment.Contoso.com
Date: Tue, 02 Aug 2012 00:32:56 GMT
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
</a:Action>
<ActivityId>
d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
</ActivityId>
<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DiscoverResponse
xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
<DiscoverResult>
<AuthPolicy>Certificate</AuthPolicy>
<EnrollmentVersion>3.0</EnrollmentVersion>
<EnrollmentPolicyServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentPolicyServiceUrl>
<EnrollmentServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentServiceUrl>
</DiscoverResult>
</DiscoverResponse>
</s:Body>
</s:Envelope>
```
## Enrollment policy web service
The following example shows the policy web service request.
```
POST /ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: enrolltest.contoso.com
Content-Length: xxxx
Cache-Control: no-cache
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
</a:Action>
<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken wsse:ValueType="X509v3” wsse:Id="mytoken” wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPolicies
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<client>
<lastUpdate xsi:nil="true"/>
<preferredLanguage xsi:nil="true"/>
</client>
<requestFilter xsi:nil="true"/>
</GetPolicies>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSPlatform">
<ac:Value>WindowsMobile</ac:Value>
<ac:ContextItem Name="OSEdition">
<ac:Value>Core</ac:Value>
<ac:ContextItem Name="OSVersion">
<ac:Value>9.0.9999.0</ac:Value>
<ac:ContextItem Name="DeviceName">
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
<ac:ContextItem Name="MACAddress">
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
<ac:ContextItem Name="IMEI">
<ac:Value>49015420323756</ac:Value>
<ac:ContextItem Name="EnrollmentType">
<ac:Value>Lite</ac:Value>
<ac:ContextItem Name="DeviceType">
<ac:Value>WindowsPhone</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion">
<ac:Value>10.0.0.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID">
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
</ac:AdditionalContext>
</s:Body>
</s:Envelope>
```
The following snippet shows the policy web service response.
```
HTTP/1.1 200 OK
Date: Fri, 03 Aug 2012 20:00:00 GMT
Server: <sever name here>
Content-Type: application/soap+xml
Content-Length: xxxx
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<s:Envelope
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
</a:Action>
<ActivityId CorrelationId="08d2997e-e8ac-4c97-a4ce-d263e62186ab"
xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">
d4335d7c-e192-402d-b0e7-f5d550467e3c</ActivityId>
<a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPoliciesResponse
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<response>
<policyFriendlyName xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<nextUpdateHours xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policiesNotChanged xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policies>
<policy>
<policyOIDReference>0</policyOIDReference>
<cAs xsi:nil="true" />
<attributes>
<policySchema>3</policySchema>
<privateKeyAttributes>
<minimalKeyLength>2048</minimalKeyLength>
<keySpec xsi:nil="true" />
<keyUsageProperty xsi:nil="true" />
<permissions xsi:nil="true" />
<algorithmOIDReference xsi:nil="true" />
<cryptoProviders xsi:nil="true" />
</privateKeyAttributes>
<supersededPolicies xsi:nil="true" />
<privateKeyFlags xsi:nil="true" />
<subjectNameFlags xsi:nil="true" />
<enrollmentFlags xsi:nil="true" />
<generalFlags xsi:nil="true" />
<hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
<rARequirements xsi:nil="true" />
<keyArchivalAttributes xsi:nil="true" />
<extensions xsi:nil="true" />
</attributes>
</policy>
</policies>
</response>
<cAs xsi:nil="true" />
<oIDs>
<oID>
<value>1.3.14.3.2.29</value>
<group>1</group>
<oIDReferenceID>0</oIDReferenceID>
<defaultName>szOID_OIWSEC_sha1RSASign</defaultName>
</oID>
</oIDs>
</GetPoliciesResponse>
</s:Body>
</s:Envelope>
```
## Enrollment web service
The following example shows the enrollment web service request.
```
POST /EnrollmentServer/DeviceEnrollmentWebService.svc HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: enrolltest.contoso.com
Content-Length: 3242
Cache-Control: no-cache
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
</a:Action>
<a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsu:Timestamp>
<wsu:Created>2014-10-16T17:55:13Z</wsu:Created> <!-- Start time in UTC -->
<wsu:Expires>2014-10-16T17:57:13Z </wsu:Expires> <!-- Expiration time in UTC -->
</wsu:Timestamp>
<wsse:BinarySecurityToken wsse:ValueType=
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken
wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
wsu:Id=”29801C2F-F26B-46AD-984B-AFAEFB545FF8”>
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> <!—X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference -->
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd”>
<ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
<ds:Reference URI="#envelop">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
<ds:DigestValue>MessageDigestValue</ds:DigestValue>
<!-- Digest value of message using digest method -->
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SignedMessageBlob/ds:SignatureValue>
<!-- Digest value of message signed with the users private key using RSA-SHA256 -->
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8"
ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509"/>
<!-— References BinarySecurityToken that contains public key to verify signature -->
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken>
<wst:TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
DER format PKCS#10 certificate request in Base64 encoding Insterted Here
</wsse:BinarySecurityToken>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSEdition"> <!--New in Windows 10-->
<ac:Value></ac:Value>
<ac:ContextItem Name="OSVersion"> <!--New in Windows 10-->
<ac:Value>10.0.0.0</ac:Value>
<ac:ContextItem Name="DeviceName"> <!--New in Windows 10-->
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
<ac:ContextItem Name="MAC"> <!--New in Windows 10 -->
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
<ac:ContextItem Name="MAC"> <!--New in Windows 10 -->
<ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
<ac:ContextItem Name="IMEI"> <!--New in Windows 10-->
<ac:Value>49015420323756</ac:Value>
<ac:ContextItem Name="EnrollmentType"> <!--New in Windows 10-->
<ac:Value>Full</ac:Value>
<ac:ContextItem Name="DeviceType"> <!—From Windows Phone 8.1-->
<ac:Value>WindowsPhone</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion"> <!—From Windows Phone 8.1-->
<ac:Value>10.0.0.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID"> <!--From Handheld 8.1 -->
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
<ac:ContextItem Name="EnrollmentData">
<ac:Value>3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342</ac:Value>
<ac:ContextItem Name="TargetedUserLoggedIn">
<ac:Value>True</ac:Value>
</ac:AdditionalContext>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
```
The following example shows the enrollment web service response.
```
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10231
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Fri, 03 Aug 2012 00:32:59 GMT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<Action s:mustUnderstand="1" >
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
</Action>
<a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-08-02T00:32:59.420Z</u:Created>
<u:Expires>2012-08-02T00:37:59.420Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<RequestSecurityTokenResponse>
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<RequestedSecurityToken>
<BinarySecurityToken
ValueType=
"http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</BinarySecurityToken>
</RequestedSecurityToken>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0
</RequestID>
</RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection>
</s:Body>
</s:Envelope>
```
The following example shows the encoded provisioning XML.
```
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<characteristic type="Root">
<characteristic type="System">
<characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">
<parm name="EncodedCertificate" value="B64 encoded cert insert here" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="CertificateStore">
<characteristic type="My" >
<characteristic type="User">
<characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
<parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
</characteristic>
<characteristic type="PrivateKeyContainer"/>
<!-- This tag must be present for XML syntax correctness. -->
</characteristic>
<characteristic type="WSTEP">
<characteristic type="Renew">
<!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="APPID" value="w7"/>
<parm name="PROVIDER-ID" value="TestMDMServer"/>
<parm name="NAME" value="Microsoft"/>
<parm name="ADDR" value="https://DM.contoso.com:443/omadm/Windows.ashx"/>
<parm name="CONNRETRYFREQ" value="6" />
<parm name="INITIALBACKOFFTIME" value="30000" />
<parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value=
"Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="password1"/>
<parm name="AAUTHDATA" value="B64encodedBinaryNonceInsertedHere"/>
</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="BASIC"/>
<parm name="AAUTHNAME" value="testclient"/>
<parm name="AAUTHSECRET" value="password2"/>
</characteristic>
</characteristic>
<characteristic type="DMClient"> <!-- In Windows 10, an enrollment server should use DMClient CSP XML to configure DM polling schedules. -->
<characteristic type="Provider">
<!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
<characteristic type="TestMDMServer">
<parm name="UPN" value="UserPrincipalName" datatype="string" />
<characteristic type="Poll">
<parm name="NumberOfFirstRetries" value="8" datatype="integer" />
<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic>
<parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
</characteristic>
</characteristic>
</characteristic>
<!-- For Windows 10, we have removed EnterpriseAppManagement from the enrollment
protocol. This configuration service provider is being deprecated for Windows 10. -->
</wap-provisioningdoc>
```
 

187
windows/client-management/mdm/certificate-renewal-windows-mdm.md Normal file
View File

@ -0,0 +1,187 @@
---
title: Certificate Renewal
description: The enrolled client certificate expires after a period of use.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: F910C50C-FF67-40B0-AAB0-CA7CE02A9619
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
 
## In this topic
- [Automatic certificate renewal request](#automatic-certificate-renewal-request)
- [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration)
- [Certificate renewal response](#certificate-renewal-response)
- [Configuration service providers supported during MDM enrollment and certificate renewal](#configuration-service-providers-supported-during-mdm-enrollment-and-certificate-renewal)
<a href="" id="automatic-certificate-renewal"></a>
## Automatic certificate renewal request
In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal.
> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
 
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate.
For the device that is enrolled with the OnPremise authentication method, for backward compatibility, the default renewal method is user manual certificate renewal. However, for Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal via CertificateStore CSPs ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. For more information about Renew related configuration settings, refer to the CertificateStore configuration service provider.
Unlike manual certificate renewal where there is an additional b64 encoding for PKCS\#7 message content, with automatic renewal, the PKCS\#7 message content isnt b64 encoded separately.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Make sure using one of device pre-installed root certificates or provision the root cert over a DM session via CertificateStore Configuration Service Provider.
During the automatic certificate renew process, the device will deny HTTP redirect request from the server unless it is the same redirect URL that the user explicitly accepted during the initial MDM enrollment process.
The following example shows the details of an automatic renewal request.
```
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep</a:Action>
<a:MessageID>urn:uuid:61a17f2c-42e9-4a45-9c85-f15c1c8baee8</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://dm.contoso.com/EnrollmentService/DeviceEnrollmentService.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2011-07-11T19:49:08.579Z</u:Created>
<u:Expires>2011-07-11T19:54:08.579Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-2a734df6-b227-4e60-82a8-ed53c574b718-5">
<o:Username>user@contoso.com</o:Username>
<o:Password o:Type=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew</RequestType>
<BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
BinarySecurityTokenInsertedHere
</BinarySecurityToken>
<AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ContextItem Name="DeviceType">
<Value>WindowsPhone</Value>
</ContextItem>
<ContextItem Name="ApplicationVersion">
<Value>5.0.7616.0</Value>
</ContextItem>
</AdditionalContext>
</RequestSecurityToken>
</s:Body>
</s:Envelope>
```
<a href="" id="certificate-renewal-schedule"></a>
## Certificate renewal schedule configuration
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry to be configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, instead of only reminding the user once, the Windows device will remind the user with a prompt dialog at every renewal retry time until the certificate is expired.
For more information about the parameters, see the CertificateStore configuration service provider.
Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week.
> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design.
 
## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
- The signature of the PKCS\#7 BinarySecurityToken is correct
- The clients certificate is in the renewal period
- The certificate was issued by the enrollment service
- The requester is the same as the requester for initial enrollment
- For standard clients request, the client hasnt been blocked
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of an certificate renewal response.
```
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root">
<characteristic type="System">
<characteristic type="EncodedRootCertHashInsertedHere ">
<parm name="EncodedCertificate" value="EncodedCertInsertedHere" />
</characteristic>
</characteristic>
</characteristic>
<characteristic type="My" >
<characteristic type="User">
<characteristic type="EncodedClientCertHashInsertedHere">
<parm name="EncodedCertificate" value="EncodedCertInsertedHere" />
<characteristic type="PrivateKeyContainer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="PROVIDER-ID" value="TestMDMServer"/>
</characteristic>
</wap-provisioningdoc>
```
> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
 
<a href="" id="csp-support-during-enrollment-and-renewal"></a>
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
- CertificateStore
- w7 APPLICATION
- DMClient
- EnterpriseAppManagement
 

640
windows/client-management/mdm/certificatestore-csp.md Normal file
View File

@ -0,0 +1,640 @@
---
title: CertificateStore CSP
description: CertificateStore CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CertificateStore CSP
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
> **Note**   The CertificateStore configuration service provider does not support installing client certificates.
 
For the CertificateStore CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
![provisioning\-csp\-certificatestore](images/provisioning-csp-certificatestore.png)
<a href="" id="root-system"></a>**Root/System**
Defines the certificate store that contains root, or self-signed, certificates.
Supported operation is Get.
> **Note**  Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates.
 
<a href="" id="ca-system"></a>**CA/System**
Defines the certificate store that contains cryptographic information, including intermediary certification authorities.
Supported operation is Get.
> **Note**  CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
 
<a href="" id="my-user"></a>**My/User**
Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
Supported operation is Get.
> **Note**  My/User is case sensitive.
 
<a href="" id="my-system"></a>**My/System**
Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
Supported operation is Get.
> **Note**  My/System is case sensitive.
 
<a href="" id="certhash"></a>***CertHash***
Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
Supported operations are Get, Delete, and Replace.
<a href="" id="certhash-encodedcertificate"></a>***CertHash*/EncodedCertificate**
Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="certhash-issuedby"></a>***CertHash*/IssuedBy**
Required. Returns the name of the certificate issuer. This is equivalent to the *Issuer* member in the CERT\_INFO data structure.
Supported operation is Get.
<a href="" id="certhash-issuedto"></a>***CertHash*/IssuedTo**
Required. Returns the name of the certificate subject. This is equivalent to the *Subject* member in the CERT\_INFO data structure.
Supported operation is Get.
<a href="" id="certhash-validfrom"></a>***CertHash*/ValidFrom**
Required. Returns the starting date of the certificate's validity. This is equivalent to the *NotBefore* member in the CERT\_INFO structure.
Supported operation is Get.
<a href="" id="certhash-validto"></a>***CertHash*/ValidTo**
Required. Returns the expiration date of the certificate. This is equivalent to the *NotAfter* member in the CERT\_INFO structure.
Supported operation is Get.
<a href="" id="certhash-templatename"></a>***CertHash*/TemplateName**
Required. Returns the certificate template name.
Supported operation is Get.
<a href="" id="my-scep"></a>**My/SCEP**
Required for Simple Certificate Enrollment Protocol (SCEP) certificate enrollment. The parent node grouping the SCEP certificate related settings.
Supported operation is Get.
> **Note**  Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP.
 
<a href="" id="my-scep-uniqueid"></a>**My/SCEP/****_UniqueID_**
Required for SCEP certificate enrollment. A unique ID to differentiate certificate enrollment requests. Format is node.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="my-scep-uniqueid-install"></a>**My/SCEP/*UniqueID*/Install**
Required for SCEP certificate enrollment. Parent node to group SCEP certificate install related request. Format is node.
Supported operations are Add, Replace, and Delete.
> **Note**   Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values.
 
<a href="" id="my-scep-uniqueid-install-serverurl"></a>**My/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. The server could specify multiple server URLs separated by a semicolon. Value type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-challenge"></a>**My/SCEP/*UniqueID*/Install/Challenge**
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Value type is chr.
Supported operations are Get, Add, Replace, and Delete.
Challenge will be deleted shortly after the Exec command is accepted.
<a href="" id="my-scep-uniqueid-install-ekumapping"></a>**My/SCEP/*UniqueID*/Install/EKUMapping**
Required. Specifies the extended key usages and subject to SCEP server configuration. The list of OIDs are separated by a plus sign **+**, such as OID1+OID2+OID3. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-keyusage"></a>**My/SCEP/*UniqueID*/Install/KeyUsage**
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value does not have those bits set, configuration will fail. Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-subjectname"></a>**My/SCEP/*UniqueID*/Install/SubjectName**
Required. Specifies the subject name. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-keyprotection"></a>**My/SCEP/*UniqueID*/Install/KeyProtection**
Optional. Specifies the location of the private key. Although the private key is protected by TPM, it is not protected with TPM PIN. SCEP enrolled certificate does not support TPM PIN protection.
Supported values are one of the following:
- 1 Private key is protected by device TPM.
- 2 Private key is protected by device TPM if the device supports TPM.
- 3 (default) Private key is only saved in the software KSP.
Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-retrydelay"></a>**My/SCEP/*UniqueID*/Install/RetryDelay**
Optional. Specifies the device retry waiting time in minutes when the SCEP server sends the pending status. Default value is 5 and the minimum value is 1. Value type is an integer.
Supported operations are Get, Add, and Delete.
<a href="" id="my-scep-uniqueid-install-retrycount"></a>**My/SCEP/*UniqueID*/Install/RetryCount**
Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value cannot be larger than 30. If it is larger than 30, the device will use 30. The min value is 0, which means no retry.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-templatename"></a>**My/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server; therefore, the MDM server typically does not need to provide it. Value type is chr.
Supported operations are Get, Add, and Delete.
<a href="" id="my-scep-uniqueid-install-keylength"></a>**My/SCEP/*UniqueID*/Install/KeyLength**
Required for enrollment. Specify private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-hashalgorithm"></a>**My/SCEP/*UniqueID*/Install/HashAlgorithm**
Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +.
Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-cathumbprint"></a>**My/SCEP/*UniqueID*/Install/CAThumbprint**
Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it does not match, the authentication fails. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-subjectalternativenames"></a>**My/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *&lt;nameformat1&gt;*+*&lt;actual name1&gt;*;*&lt;name format 2&gt;*+*&lt;actual name2&gt;*. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-validperiod"></a>**My/SCEP/*UniqueID*/Install/ValidPeriod**
Optional. Specifies the units for the valid period. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
Valid values are one of the following:
- Days (default)
- Months
- Years
> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
 
<a href="" id="my-scep-uniqueid-install-validperiodunits"></a>**My/SCEP/*UniqueID*/Install/ValidPeriodUnits**
Optional. Specifies desired number of units used in validity period and subject to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
 
<a href="" id="my-scep-uniqueid-install-enroll"></a>**My/SCEP/*UniqueID*/Install/Enroll**
Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node does not contain a value.
Supported operation is Exec.
<a href="" id="my-wstep-certthumbprint"></a>**My/WSTEP/CertThumbprint**
Optional. Returns the current MDM client certificate thumbprint. If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed. Value type is chr.
Supported operation is Get.
<a href="" id="my-scep-uniqueid-status"></a>**My/SCEP/*UniqueID*/Status**
Required. Specifies the latest status for the certificate due to enrollment request. Value type is chr.
Supported operation is Get.
Valid values are one of the following:
- 1 Finished successfully.
- 2 Pending. The device has not finished the action, but has received the SCEP server pending response.
- 16 - Action failed.
- 32 Unknown.
<a href="" id="my-scep-uniqueid-errorcode"></a>**My/SCEP/*UniqueID*/ErrorCode**
Optional. The integer value that indicates the HRESULT of the last enrollment error code.
Supported operation is Get.
<a href="" id="my-scep-uniqueid-certthumbprint"></a>**My/SCEP/*UniqueID*/CertThumbprint**
Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr.
Supported operation is Get.
<a href="" id="my-scep-uniqueid-respondentserverurl"></a>**My/SCEP/*UniqueID*/RespondentServerUrl**
Required. Returns the URL of the SCEP server that responded to the enrollment request. Value type is string.
Supported operation is Get.
<a href="" id="my-wstep"></a>**My/WSTEP**
Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that is enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Supported operation is Get.
<a href="" id="my-wstep-renew"></a>**My/WSTEP/Renew**
Optional. The parent node to group renewal related settings.
Supported operation is Get.
<a href="" id="my-wstep-renew-serverurl"></a>**My/WSTEP/Renew/ServerURL**
Optional. Specifies the URL of certificate renewal server. If this node does not exist, the client uses the initial certificate enrollment URL.
> **Note**  The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
 
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="my-wstep-renew-renewalperiod"></a>**My/WSTEP/Renew/RenewalPeriod**
Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It is recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
The default value is 42 and the valid values are 1 1000. Value type is an integer.
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
 
<a href="" id="my-wstep-renew-retryinterval"></a>**My/WSTEP/Renew/RetryInterval**
Optional. Specifies the retry interval (in days) when the previous renewal failed. It applies to both manual certificate renewal and ROBO automatic certificate renewal. The retry schedule stops at the certificate expiration date.
For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries.
For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again.
The default value is 7 and the valid values are 1 1000 AND =&lt; RenewalPeriod, otherwise it will result in errors. Value type is an integer.
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
 
<a href="" id="my-wstep-renew-robosupport"></a>**My/WSTEP/Renew/ROBOSupport**
Optional. Notifies the client if the MDM enrollment server supports ROBO auto certificate renewal. Value type is bool.
ROBO is the only supported renewal method for Windows 10. This value is ignored and always considered to be true.
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
 
<a href="" id="my-wstep-renew-status"></a>**My/WSTEP/Renew/Status**
Required. Shows the latest action status for this certificate. Value type is an integer.
Supported operation is Get.
Supported values are one of the following:
- 0 Not started.
- 1 Renewal in progress.
- 2 Renewal succeeded.
- 3 Renewal failed.
<a href="" id="my-wstep-renew-errorcode"></a>**My/WSTEP/Renew/ErrorCode**
Optional. If certificate renewal fails, this integer value indicates the HRESULT of the last error code during the renewal process. Value type is an integer.
Supported operation is Get.
<a href="" id="my-wstep-renew-lastrenewalattempttime"></a>**My/WSTEP/Renew/LastRenewalAttemptTime**
Added in Windows 10, version 1607. Time of the last attempted renewal.
Supported operation is Get.
<a href="" id="my-wstep-renew-renewnow"></a>**My/WSTEP/Renew/RenewNow**
Added in Windows 10, version 1607. Initiates a renewal now.
Supported operation is Execute.
<a href="" id="my-wstep-renew-retryafterexpiryinterval"></a>**My/WSTEP/Renew/RetryAfterExpiryInterval**
Added in Windows 10, version 1703. How long after the enrollment certificate has expired before trying to renew.
Supported operations are Add, Get, and Replace.
## Examples
Add a root certificate to the MDM server.
``` syntax
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/Root/System/<CertificateHashInsertedhere>/EncodedCertificate
</LocURI>
</Target>
<Data>B64EncodedCertInsertedHere</Data>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
</Meta>
</Item>
</Add>
```
Get all installed client certificates.
``` syntax
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/My/User?list=StructData
</LocURI>
</Target>
</Item>
</Get>
```
Delete a root certificate.
``` syntax
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/Root/System/<CertificateHashInsertedHere>
</LocURI>
</Target>
</Item>
</Delete>
```
Configure the device to enroll a client certificate through SCEP.
``` syntax
<Atomic>
<CmdID>100</CmdID>
<Add>
<CmdID>1</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Add>
<CmdID>2</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryCount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>3</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>4</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyUsage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>160</Data>
</Item>
</Add>
<Add>
<CmdID>5</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1024</Data>
</Item>
</Add>
<Add>
<CmdID>6</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/HashAlgorithm</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SHA-1</Data>
</Item>
</Add>
<Add>
<CmdID>7</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CN=AnnaLee</Data>
</Item>
</Add>
<Add>
<CmdID>8</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectAlternativeNames</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>11+tom@MyDomain.Contoso.com;3+MyDomain.Contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>9</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriod</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Years</Data>
</Item>
</Add>
<Add>
<CmdID>10</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriodUnits</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>11</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/EKUMapping</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2</Data>
</Item>
</Add>
<Add>
<CmdID>12</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyProtection</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdID>13</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ServerURL</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>https://contoso.com/certsrv/ctcep.dll</Data>
</Item>
</Add>
<Add>
<CmdID>14</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Challenge</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>ChallengeInsertedHere</Data>
</Item>
</Add>
<Add>
<CmdID>15</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/CAThumbprint</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CAThumbprintInsertedHere</Data>
</Item>
</Add>
<Exec>
<CmdID>16</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Enroll</LocURI>
</Target>
</Item>
</Exec>
</Atomic>
```
Configure the device to automatically renew an MDM client certificate with the specified renew period and retry interval.
``` syntax
<Atomic>
<CmdID>1</CmdID>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/ROBOSupport</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RenewPeriod</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>60</Data>
</Item>
</Replace>
<Replace>
<CmdID>4</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RetryInterval</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>4</Data>
</Item>
</Replace>
</Atomic>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

1680
windows/client-management/mdm/certificatestore-ddf-file.md Normal file
View File

File diff suppressed because it is too large Load Diff

33
windows/client-management/mdm/cleanpc-csp.md Normal file
View File

@ -0,0 +1,33 @@
---
title: CleanPC CSP
description: The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CleanPC CSP
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
The following diagram shows the CleanPC configuration service provider in tree format.
![CleanPC csp diagram](images/provisioning-csp-cleanpc.png)
<a href="" id="--device-vendor-msft-cleanpc"></a>**./Device/Vendor/MSFT/CleanPC**
<p style="margin-left: 20px">The root node for the CleanPC configuration service provider.</p>
<a href="" id="cleanpcwithoutretaininguserdata"></a>**CleanPCWithoutRetainingUserData**
<p style="margin-left: 20px">An integer specifying a CleanPC operation without any retention of user data.
<p style="margin-left: 20px">The only supported operation is Execute.
<a href="" id="cleanpcwithoutretaininguserdata"></a>**CleanPCRetainingUserData**
<p style="margin-left: 20px">An integer specifying a CleanPC operation with retention of user data.
<p style="margin-left: 20px">The only supported operation is Execute.

108
windows/client-management/mdm/cleanpc-ddf.md Normal file
View File

@ -0,0 +1,108 @@
---
title: CleanPC DDF
description: This topic shows the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CleanPC DDF
This topic shows the OMA DM device description framework (DDF) for the **CleanPC** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>CleanPC</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Allow removal of user installed and pre-installed applications, with option to persist user data</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/CleanPC</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>CleanPCWithoutRetainingUserData</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation without any retention of User data</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CleanPCRetainingUserData</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation with retention of User data</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
 
 

675
windows/client-management/mdm/clientcertificateinstall-csp.md Normal file
View File

@ -0,0 +1,675 @@
---
title: ClientCertificateInstall CSP
description: ClientCertificateInstall CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# ClientCertificateInstall CSP
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> **Note**  
Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following image shows the ClientCertificateInstall configuration service provider in tree format.
![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
<a href="" id="device-or-user"></a>**Device or User**
<p style="margin-left: 20px">For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path.
<a href="" id="clientcertificateinstall"></a>**ClientCertificateInstall**
<p style="margin-left: 20px">The root node for the ClientCertificateInstaller configuration service provider.
<a href="" id="clientcertificateinstall-pfxcertinstall"></a>**ClientCertificateInstall/PFXCertInstall**
<p style="margin-left: 20px">Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid"></a>**ClientCertificateInstall/PFXCertInstall/****_UniqueID_**
<p style="margin-left: 20px">Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
<p style="margin-left: 20px">The data type format is node.
<p style="margin-left: 20px">Supported operations are Get, Add, and Delete .
<p style="margin-left: 20px">Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-keylocation"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
<p style="margin-left: 20px">Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------------------|
| 1 | Install to TPM if present, fail if not present. |
| 2 | Install to TPM if present. If not present, fallback to software. |
| 3 | Install to software. |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
<p style="margin-left: 20px">ptional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
<p style="margin-left: 20px">Date type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertblob"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
<p style="margin-left: 20px">CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
<p style="margin-left: 20px">The data type format is binary.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
<p style="margin-left: 20px">If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
<p style="margin-left: 20px">In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT\_DATA\_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](http://go.microsoft.com/fwlink/p/?LinkId=523871).
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpassword"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
<p style="margin-left: 20px">Password that protects the PFX blob. This is required if the PFX is password protected.
<p style="margin-left: 20px">Data Type is a string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptiontype"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
<p style="margin-left: 20px">Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM sever.
<p style="margin-left: 20px">The data type is int. Valid values:
- 0 - Password is not encrypted.
- 1 - Password is encrypted with the MDM certificate.
- 2 - Password is encrypted with custom certificate.
<p style="margin-left: 20px">When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
<p style="margin-left: 20px">Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
 
<p style="margin-left: 20px">The data type bool.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-thumbprint"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
<p style="margin-left: 20px">Returns the thumbprint of the installed PFX certificate.
<p style="margin-left: 20px">The datatype is a string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-status"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
<p style="margin-left: 20px">Data type is an integer.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptionstore"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
<p style="margin-left: 20px">Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
<p style="margin-left: 20px">Node for SCEP.
> **Note**  An alert is sent after the SCEP certificate is installed.
 
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/****_UniqueID_**
<p style="margin-left: 20px">A unique ID to differentiate different certificate installation requests.
<p style="margin-left: 20px">Supported operations are Get, Add, Replace, and Delete.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
<p style="margin-left: 20px">A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
<p style="margin-left: 20px">Supported operations are Get, Add, Replace, and Delete.
> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
 
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-challenge"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-ekumapping"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
<p style="margin-left: 20px">Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*.
Data type is string.
<p style="margin-left: 20px">Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesnt have those bits set, the configuration will fail.
<p style="margin-left: 20px">Data type is int.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
<p style="margin-left: 20px">Required. Specifies the subject name.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
<p style="margin-left: 20px">Optional. Specifies where to keep the private key.
> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN.
 
<p style="margin-left: 20px">The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. |
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
<p style="margin-left: 20px">Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
<p style="margin-left: 20px">Data type format is an integer.
<p style="margin-left: 20px">The default value is 5.
<p style="margin-left: 20px">The minimum value is 1.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrycount"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
<p style="margin-left: 20px">Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
<p style="margin-left: 20px">Data type is integer.
<p style="margin-left: 20px">Default value is 3.
<p style="margin-left: 20px">Maximum value is 30. If the value is larger than 30, the device will use 30.
<p style="margin-left: 20px">Minimum value is 0, which indicates no retry.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
<p style="margin-left: 20px">Optional. OID of certificate template name.
> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
 
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keylength"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
<p style="margin-left: 20px">Required for enrollment. Specify private key length (RSA).
<p style="margin-left: 20px">Data type is integer.
<p style="margin-left: 20px">Valid values are 1024, 2048, and 4096.
<p style="margin-left: 20px">For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-hashalgorithm"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
<p style="margin-left: 20px">Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**.
<p style="margin-left: 20px">For Windows Hello for Business, only SHA256 is the supported algorithm.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-cathumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
<p style="margin-left: 20px">Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectalternativenames"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
<p style="margin-left: 20px">Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
<p style="margin-left: 20px">Each pair is separated by semicolon. For example, multiple SANs are presented in the format of *\[name format1\]*+*\[actual name1\]*;*\[name format 2\]*+*\[actual name2\]*.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiod"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
<p style="margin-left: 20px">Optional. Specifies the units for the valid certificate period.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Valid values are:
- Days (Default)
- Months
- Years
> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
<p style="margin-left: 20px">Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<p style="margin-left: 20px">Data type is string.
>**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-customtexttoshowinprompt"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
<p style="margin-left: 20px">Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
<p style="margin-left: 20px">Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
<p style="margin-left: 20px">The date type format is Null, meaning this node doesnt contain a value.
<p style="margin-left: 20px">The only supported operation is Execute.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
<p style="margin-left: 20px">Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-certthumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
<p style="margin-left: 20px">Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
<p style="margin-left: 20px">If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-status"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Specifies latest status of the certificated during the enrollment request.
<p style="margin-left: 20px">Data type is string. Valid values:
<p style="margin-left: 20px">The only supported operation is Get.
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------|
| 1 | Finished successfully |
| 2 | Pending (the device hasnt finished the action but has received the SCEP server pending response) |
| 16 | Action failed |
| 32 | Unknown |
 
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
<p style="margin-left: 20px">Optional. An integer value that indicates the HRESULT of the last enrollment error code.
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-respondentserverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**
<p style="margin-left: 20px">Required. Returns the URL of the SCEP server that responded to the enrollment request.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">The only supported operation is Get.
## Example
Enroll a client certificate through SCEP.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Atomic>
<Add>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere></LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Add>
<CmdID>302</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/RetryCount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>303</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/RetryDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>304</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyUsage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>160</Data>
</Item>
</Add>
<Add>
<CmdID>305</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1024</Data>
</Item>
</Add>
<Add>
<CmdID>306</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/HashAlgorithm</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SHA-1</Data>
</Item>
</Add>
<Add>
<CmdID>307</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/SubjectName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CN=ContosoCSP</Data>
</Item>
</Add>
<Add>
<CmdID>308</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/SubjectAlternativeNames</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data></Data>
</Item>
</Add>
<Add>
<CmdID>309</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ValidPeriod</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Years</Data>
</Item>
</Add>
<Add>
<CmdID>310</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ValidPeriodUnits</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>311</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/EKUMapping</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2</Data>
</Item>
</Add>
<Add>
<CmdID>312</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyProtection</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdID>313$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ServerURL</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>http://constoso.com/certsrv/mscep/mscep.dll</Data>
</Item>
</Add>
<Add>
<CmdID>314</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/Challenge</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1234CB055B7EBF384A9486A22B7559A5</Data>
</Item>
</Add>
<Add>
<CmdID>315</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/CAThumbprint</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>12345087E648875D1DF5D9F9FF89DD10</Data>
</Item>
</Add>
<Exec>
<CmdID>316</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/Enroll</LocURI>
</Target>
</Item>
</Exec>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store.
``` syntax
<SyncML>
<SyncBody>
<Delete>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C</LocURI>
</Target>
</Item>
</Delete>
<Atomic>
<CmdID>$CmdID$</CmdID>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Base64_Encode_Cert_Blob</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Base64Encoded_Encrypted_Password_Blog</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>My</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

1070
windows/client-management/mdm/clientcertificateinstall-ddf-file.md Normal file
View File

File diff suppressed because it is too large Load Diff

317
windows/client-management/mdm/cm-cellularentries-csp.md Normal file
View File

@ -0,0 +1,317 @@
---
title: CM\_CellularEntries CSP
description: CM\_CellularEntries CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CM\_CellularEntries CSP
The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point.
> [!Note]
> Starting in the next major update to Windows 10, the CM\_CellularEntries CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png)
<a href="" id="entryname"></a>**_entryname_**
<p style="margin-left: 20px">Defines the name of the connection.</p>
<p style="margin-left: 20px">The [CMPolicy configuration service provider](cmpolicy-csp.md) uses the value of *entryname* to identify the connection that is associated with a policy and [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) uses the value of *entryname* to identify the connection that is associated with a proxy.</p>
<a href="" id="alwayson"></a>**AlwaysOn**
<p style="margin-left: 20px">Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
<p style="margin-left: 20px">A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
<p style="margin-left: 20px">A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.
<p style="margin-left: 20px">There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
<a href="" id="authtype"></a>**AuthType**
<p style="margin-left: 20px">Optional. Type: String. Specifies the method of authentication used for a connection.
<p style="margin-left: 20px">A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None".
<a href="" id="connectiontype"></a>**ConnectionType**
<p style="margin-left: 20px">Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
<table style="margin-left: 20px"><table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p>gprs</p></td>
<td><p>Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).</p></td>
</tr>
<tr class="even">
<td><p>cdma</p></td>
<td><p>Used for CDMA type connections (1XRTT + EVDO).</p></td>
</tr>
<tr class="odd">
<td><p>lte</p></td>
<td><p>Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.</p></td>
</tr>
<tr class="even">
<td><p>legacy</p></td>
<td><p>Used for GPRS + GSM + EDGE + UMTS connections.</p></td>
</tr>
<tr class="odd">
<td><p>lte_iwlan</p></td>
<td><p>Used for GPRS type connections that may be offloaded over WiFi</p></td>
</tr>
<tr class="even">
<td><p>iwlan</p></td>
<td><p>Used for connections that are implemented over WiFi offload only</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="desc-langid"></a>**Desc.langid**
<p style="margin-left: 20px">Optional. Specifies the UI display string used by the defined language ID.
<p style="margin-left: 20px"> A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
<a href="" id="enabled"></a>**Enabled**
<p style="margin-left: 20px"> Specifies if the connection is enabled.
<p style="margin-left: 20px"> A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled.
<a href="" id="ipheadercompression"></a>**IpHeaderCompression**
<p style="margin-left: 20px"> Optional. Specifies if IP header compression is enabled.
<p style="margin-left: 20px"> A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled.
<a href="" id="password"></a>**Password**
<p style="margin-left: 20px"> Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN.
<a href="" id="swcompression"></a>**SwCompression**
<p style="margin-left: 20px"> Optional. Specifies if software compression is enabled.
<p style="margin-left: 20px"> A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled.
<a href="" id="username"></a>**UserName**
<p style="margin-left: 20px"> Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN.
<a href="" id="userequiresmappingspolicy"></a>**UseRequiresMappingsPolicy**
<p style="margin-left: 20px"> Optional. Specifies if the connection requires a corresponding mappings policy.
<p style="margin-left: 20px"> A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
<p style="margin-left: 20px"> For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
<a href="" id="version"></a>**Version**
<p style="margin-left: 20px"> Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
<p style="margin-left: 20px"> This value must be "1" if included.
<a href="" id="gprsinfoaccesspointname"></a>**GPRSInfoAccessPointName**
<p style="margin-left: 20px"> Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT".
<a href="" id="roaming"></a>**Roaming**
<p style="margin-left: 20px"> Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available:
- 0 - Home network only.
- 1 (default)- All roaming conditions (home and roaming).
- 2 - Home and domestic roaming only.
- 3 - Domestic roaming only.
- 4 - Non-domestic roaming only.
- 5 - Roaming only.
<a href="" id="oemconnectionid"></a>**OEMConnectionID**
<p style="margin-left: 20px"> Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
<a href="" id="apnid"></a>**ApnId**
<p style="margin-left: 20px"> Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices.
<a href="" id="iptype"></a>**IPType**
<p style="margin-left: 20px"> Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4".
> [!Warning]  
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
 
<a href="" id="exemptfromdisablepolicy"></a>**ExemptFromDisablePolicy**
<p style="margin-left: 20px"> Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt).
<p style="margin-left: 20px"> To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
> [!Important]  
> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections.
<p style="margin-left: 20px"> To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
- Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1)
- Set AllowMMSIfDataIsOff to 1 (default is 0)
 
<a href="" id="exemptfromroaming"></a>**ExemptFromRoaming**
<p style="margin-left: 20px"> Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt).
<a href="" id="tetheringnai"></a>**TetheringNAI**
<p style="margin-left: 20px"> Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0".
<a href="" id="idledisconnecttimeout"></a>**IdleDisconnectTimeout**
<p style="margin-left: 20px"> Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
> [!Important]  
<p style="margin-left: 20px"> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
 
> [!Note]  
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
 
<a href="" id="simiccid"></a>**SimIccId**
<p style="margin-left: 20px"> For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
<a href="" id="purposegroups"></a>**PurposeGroups**
<p style="margin-left: 20px"> Optional. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
- MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
- IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
- SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD
- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB (added in the next version of Windows 10)
- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 (added in the next version of Windows 10)
## Additional information
To delete a connection, you must first delete any associated proxies and then delete the connection. The following example shows how to delete the proxy and then the connection.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_ProxyEntries">
<nocharacteristic type="GPRS_Proxy"/>
</characteristic>
<characteristic type="CM_CellularEntries">
<nocharacteristic type="GPRS1"/>
</characteristic>
</wap-provisioningdoc>
```
## OMA client provisioning examples
Configuring a GPRS connection:
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Configuring an LTE connection:
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="LteConn">
<parm name="ConnectionType" value="lte" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="INTERNET_LTE" />
</characteristic>
<parm name="ApnId" value="0" />
<parm name="IPType" value="IPv4v6" />
<parm name="Enabled" value="1" />
<parm name="OemConnectionId" value="01234567-89AB-CDEF-0123-456789ABCDEF" />
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Configuring a CDMA connection:
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="CDMAConn">
<parm name="Version" value="1"/>
<parm name="AuthType" value="chap" />
<parm name="ConnectionType" value="cdma"/>
<parm name="Enabled" value="1"/>
<parm name="AlwaysOn" value="0"/>
<parm name="UseRequiresMappingsPolicy" value="0"/>
<parm name="UserName" value="user@adatum.com"/>
<parm name="Password" value="fakeuserpassword"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

153
windows/client-management/mdm/cm-proxyentries-csp.md Normal file
View File

@ -0,0 +1,153 @@
---
title: CM\_ProxyEntries CSP
description: CM\_ProxyEntries CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CM\_ProxyEntries CSP
The CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
> **Note**  CM\_ProxyEntries CSP is only supported in Windows 10 Mobile.
 
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
The following diagram shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607.
![cm\-proxyentries csp (cp)](images/provisioning-csp-cm-proxyentries-cp.png)
<a href="" id="entryname"></a>**entryname**
Defines the name of the connection proxy.
Each cellular entry can have only one proxy entry. For example, an Internet connection can have no more than one HTTP proxy specified but it might also have a WAP proxy. If two applications need access to the same APN but one application needs a proxy and the other application cannot have a proxy, two entries can be created with different names for the same APN.
<a href="" id="connectionname"></a>**ConnectionName**
Specifies the name of the connection the proxy is associated with. This is the APN name of a connection configured using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md).
<a href="" id="bypasslocal"></a>**BypassLocal**
Specifies if the proxy should be bypassed when local hosts are accessed by the device.
A value of "0" specifies that the proxy bypass for local hosts is disabled. A value of "1" specifies that the proxy bypass for local hosts is enabled.
<a href="" id="enable"></a>**Enable**
Specifies if the proxy is enabled.
A value of "0" specifies that the proxy is disabled. A value of "1" specifies that the proxy is enabled.
<a href="" id="exception"></a>**Exception**
Specifies a list of external hosts which should bypass the proxy when accessed.
The exception list is a semi-colon delimited list of host names. For example, to bypass the proxy when either MSN or Yahoo is accessed, the value for the Exception list would be "www.msn.com;www.yahoo.com".
<a href="" id="password"></a>**Password**
Specifies the password used to connect to the proxy.
Passwords are only required for WAP and SOCKS proxies and are not used for HTTP proxies. Queries of this parameter return a string composed of asterisks (\*).
When setting the password, passing in the same string causes the new password to be ignored and does not change the existing password.
<a href="" id="port"></a>**Port**
Specifies the port number of the proxy server.
<a href="" id="server"></a>**Server**
Specifies the name of the proxy server.
<a href="" id="type"></a>**Type**
Specifies the type of proxy connection for this entry.
The following list enumerates the values allowed for the Type parameter.
- "0" = Null proxy
- "1" = HTTP proxy
- "2" = WAP proxy
- "4" = SOCKS4 proxy
- "5" = SOCKS5 proxy
The Null proxy can be used to allow Connection Manager to treat one network as a super set of another network by creating a null proxy from one network to the other.
<a href="" id="username"></a>**UserName**
Specifies the username used to connect to the proxy.
## Additional information
To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_ProxyEntries">
<nocharacteristic type="GPRS_Proxy"/>
</characteristic>
<characteristic type="CM_CellularEntries">
<nocharacteristic type="GPRS1"/>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

516
windows/client-management/mdm/cmpolicy-csp.md Normal file
View File

@ -0,0 +1,516 @@
---
title: CMPolicy CSP
description: CMPolicy CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CMPolicy CSP
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following diagram shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicy.png)
<a href="" id="policyname"></a>***policyName***
Defines the name of the policy.
<a href="" id="sid"></a>**SID**
The value of SID depends on the ClientType.
For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application.
For non-UWP application-based mapping policies, SID is the application product ID in GUID format. The curly brackets {} around the GUID are required.
For host-based mapping policies, SID must be set to `*`.
<a href="" id="clienttype"></a>**ClientType**
Specifies the mapping policy type.
The following list describes the available mapping policy types:
- Application-based mapping policies are applied to applications. To specify this mapping type, use the value `app`.
- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`.
<a href="" id="host"></a>**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn****_XXX_**
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”.
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Connection type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GSM</p></td>
<td><p>{A05DC613-E393-40ad-AA89-CCCE04277CD9}</p></td>
</tr>
<tr class="even">
<td><p>CDMA</p></td>
<td><p>{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}</p></td>
</tr>
<tr class="odd">
<td><p>Legacy 3GPP</p></td>
<td><p>{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{2378E547-8312-46A5-905E-5C581E92693B}</p></td>
</tr>
<tr class="odd">
<td><p>Wi-Fi</p></td>
<td><p>{8568B401-858E-4B7B-B3DF-0FD4927F131B}</p></td>
</tr>
<tr class="even">
<td><p>Wi-Fi hotspot</p></td>
<td><p>{072FC7DC-1D93-40D1-9BB0-2114D7D73434}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Network type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GPRS</p></td>
<td><p>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</p></td>
</tr>
<tr class="even">
<td><p>1XRTT</p></td>
<td><p>{B1E700AE-A62F-49FF-9BBE-B880C995F27D}</p></td>
</tr>
<tr class="odd">
<td><p>EDGE</p></td>
<td><p>{C347F8EC-7095-423D-B838-7C7A7F38CD03}</p></td>
</tr>
<tr class="even">
<td><p>WCDMA UMTS</p></td>
<td><p>{A72F04C6-9BE6-4151-B5EF-15A53E12C482}</p></td>
</tr>
<tr class="odd">
<td><p>WCDMA FOMA</p></td>
<td><p>{B8326098-F845-42F3-804E-8CC3FF7B50B4}</p></td>
</tr>
<tr class="even">
<td><p>1XEVDO</p></td>
<td><p>{DD42DF39-EBDF-407C-8146-1685416401B2}</p></td>
</tr>
<tr class="odd">
<td><p>1XEVDV</p></td>
<td><p>{61BF1BFD-5218-4CD4-949C-241CA3F326F6}</p></td>
</tr>
<tr class="even">
<td><p>HSPA HSDPA</p></td>
<td><p>{047F7282-BABD-4893-AA77-B8B312657F8C}</p></td>
</tr>
<tr class="odd">
<td><p>HSPA HSUPA</p></td>
<td><p>{1536A1C6-A4AF-423C-8884-6BDDA3656F84}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}</p></td>
</tr>
<tr class="odd">
<td><p>EHRPD</p></td>
<td><p>{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet 10Mbps</p></td>
<td><p>{97D3D1B3-854A-4C32-BD1C-C13069078370}</p></td>
</tr>
<tr class="odd">
<td><p>Ethernet 100Mbps</p></td>
<td><p>{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet Gbps</p></td>
<td><p>{556C1E6B-B8D4-448E-836D-9451BA4CCE75}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Device type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Cellular device</p></td>
<td><p>{F9A53167-4016-4198-9B41-86D9522DC019}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet</p></td>
<td><p>{97844272-00C7-4572-B20A-D8D861C095F2}</p></td>
</tr>
<tr class="odd">
<td><p>Bluetooth</p></td>
<td><p>{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}</p></td>
</tr>
<tr class="even">
<td><p>Virtual</p></td>
<td><p>{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="type"></a>**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
- `CMST_CONNECTION_NAME` A connection specified by name.
- `CMST_CONNECTION_TYPE` Any connection of a specified type.
- `CMST_CONNECTION_NETWORK_TYPE` Any connection of a specified network type.
- `CMST_CONNECTION_DEVICE_TYPE` Any connection of the specified device type.
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicy">
<characteristic type="Policy1">
<parm name="SID" value="{A05D1234-F393-9385-AA89-CD3E049367D2}" />
<parm name="ClientType" value="app" />
<parm name="Host" value="*.+" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicy">
<characteristic type="Policy3">
<parm name="SID" value="*" />
<parm name="ClientType" value="*" />
<parm name="Host" value="*.contoso.com" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## OMA DM examples
Adding an application-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/SID</LocURI>
</Target>
<Data>{A05D1234-F393-9385-AA89-CD3E049367D2}</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/ClientType</LocURI>
</Target>
<Data>app</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/Host</LocURI>
</Target>
<Data>*.+</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8055</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{A05DC613-E393-40AD-AA89-CCCE04277CD9}</Data>
</Item>
</Add>
<Add>
<CmdID>8056</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_DEVICE_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
Adding a host-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8049</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/SID</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8050</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/ClientType</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/Host</LocURI>
</Target>
<Data>*.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_NETWORK_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
## Microsoft Custom Elements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

516
windows/client-management/mdm/cmpolicyenterprise-csp.md Normal file
View File

@ -0,0 +1,516 @@
---
title: CMPolicyEnterprise CSP
description: CMPolicyEnterprise CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CMPolicyEnterprise CSP
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following diagram shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicyenterprise.png)
<a href="" id="policyname"></a>***policyName***
Defines the name of the policy.
<a href="" id="sid"></a>**SID**
The value of SID depends on the ClientType.
For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application.
For non-UWP application-based mapping policies, SID is the application product ID in GUID format. The curly brackets {} around the GUID are required.
For host-based mapping policies, SID must be set to `*`.
<a href="" id="clienttype"></a>**ClientType**
Specifies the mapping policy type.
The following list describes the available mapping policy types:
- Application-based mapping policies are applied to applications. To specify this mapping type, use the value `app`.
- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`.
<a href="" id="host"></a>**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn****_XXX_**
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”.
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Connection type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GSM</p></td>
<td><p>{A05DC613-E393-40ad-AA89-CCCE04277CD9}</p></td>
</tr>
<tr class="even">
<td><p>CDMA</p></td>
<td><p>{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}</p></td>
</tr>
<tr class="odd">
<td><p>Legacy 3GPP</p></td>
<td><p>{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{2378E547-8312-46A5-905E-5C581E92693B}</p></td>
</tr>
<tr class="odd">
<td><p>Wi-Fi</p></td>
<td><p>{8568B401-858E-4B7B-B3DF-0FD4927F131B}</p></td>
</tr>
<tr class="even">
<td><p>Wi-Fi hotspot</p></td>
<td><p>{072FC7DC-1D93-40D1-9BB0-2114D7D73434}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Network type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GPRS</p></td>
<td><p>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</p></td>
</tr>
<tr class="even">
<td><p>1XRTT</p></td>
<td><p>{B1E700AE-A62F-49FF-9BBE-B880C995F27D}</p></td>
</tr>
<tr class="odd">
<td><p>EDGE</p></td>
<td><p>{C347F8EC-7095-423D-B838-7C7A7F38CD03}</p></td>
</tr>
<tr class="even">
<td><p>WCDMA UMTS</p></td>
<td><p>{A72F04C6-9BE6-4151-B5EF-15A53E12C482}</p></td>
</tr>
<tr class="odd">
<td><p>WCDMA FOMA</p></td>
<td><p>{B8326098-F845-42F3-804E-8CC3FF7B50B4}</p></td>
</tr>
<tr class="even">
<td><p>1XEVDO</p></td>
<td><p>{DD42DF39-EBDF-407C-8146-1685416401B2}</p></td>
</tr>
<tr class="odd">
<td><p>1XEVDV</p></td>
<td><p>{61BF1BFD-5218-4CD4-949C-241CA3F326F6}</p></td>
</tr>
<tr class="even">
<td><p>HSPA HSDPA</p></td>
<td><p>{047F7282-BABD-4893-AA77-B8B312657F8C}</p></td>
</tr>
<tr class="odd">
<td><p>HSPA HSUPA</p></td>
<td><p>{1536A1C6-A4AF-423C-8884-6BDDA3656F84}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}</p></td>
</tr>
<tr class="odd">
<td><p>EHRPD</p></td>
<td><p>{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet 10Mbps</p></td>
<td><p>{97D3D1B3-854A-4C32-BD1C-C13069078370}</p></td>
</tr>
<tr class="odd">
<td><p>Ethernet 100Mbps</p></td>
<td><p>{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet Gbps</p></td>
<td><p>{556C1E6B-B8D4-448E-836D-9451BA4CCE75}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Device type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Cellular device</p></td>
<td><p>{F9A53167-4016-4198-9B41-86D9522DC019}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet</p></td>
<td><p>{97844272-00C7-4572-B20A-D8D861C095F2}</p></td>
</tr>
<tr class="odd">
<td><p>Bluetooth</p></td>
<td><p>{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}</p></td>
</tr>
<tr class="even">
<td><p>Virtual</p></td>
<td><p>{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="type"></a>**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
- `CMST_CONNECTION_NAME` A connection specified by name.
- `CMST_CONNECTION_TYPE` Any connection of a specified type.
- `CMST_CONNECTION_NETWORK_TYPE` Any connection of a specified device type.
- `CMST_CONNECTION_DEVICE_TYPE` Any connection of the specified network type.
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicyEnterprise">
<characteristic type="Policy1">
<parm name="SID" value="{A05D1234-F393-9385-AA89-CD3E049367D2}" />
<parm name="ClientType" value="app" />
<parm name="Host" value="*.+" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicyEnterprise">
<characteristic type="Policy3">
<parm name="SID" value="*" />
<parm name="ClientType" value="*" />
<parm name="Host" value="*.contoso.com" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## OMA DM examples
Adding an application-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/SID</LocURI>
</Target>
<Data>{A05D1234-F393-9385-AA89-CD3E049367D2}</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/ClientType</LocURI>
</Target>
<Data>app</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Host</LocURI>
</Target>
<Data>*.+</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8055</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{A05DC613-E393-40AD-AA89-CCCE04277CD9}</Data>
</Item>
</Add>
<Add>
<CmdID>8056</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_DEVICE_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
Adding a host-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8049</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/SID</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8050</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/ClientType</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Host</LocURI>
</Target>
<Data>*.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_NETWORK_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
## Microsoft Custom Elements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

318
windows/client-management/mdm/cmpolicyenterprise-ddf-file.md Normal file
View File

@ -0,0 +1,318 @@
---
title: CMPolicyEnterprise DDF file
description: CMPolicyEnterprise DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CMPolicyEnterprise DDF file
This topic shows the OMA DM device description framework (DDF) for the **CMPolicyEnterprise** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>CMPolicyEnterprise</NodeName>
<!-- NOTE: from here below, CMPolicy and CMPolicyEnterprise should be identical -->
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/CMPolicyEnterprise</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>The name of the policy</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>PolicyName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The value of SID depends on the ClienType</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>SID</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ClientType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the mapping policy type</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ClientType</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Host</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the name of a host pattern</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Host</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>OrderedConnections</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies whether the list of connections is in preference order</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>OrderedConnection</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Connections</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CS />
</CaseSense>
<DFTitle>Connections</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>Connection associated with the policy</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ConnXXX</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ConnectionID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>A unique identifier for a connection within a group of connections</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ConnectionID</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Type</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The type of connection being referenced</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Type</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[CMPolicyEnterprise configuration service provider](cmpolicyenterprise-csp.md)
 
 

1060
windows/client-management/mdm/configuration-service-provider-reference.md Normal file
View File

File diff suppressed because it is too large Load Diff

97
windows/client-management/mdm/create-a-custom-configuration-service-provider.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Create a custom configuration service provider
description: Create a custom configuration service provider
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 0cb37f03-5bf2-4451-8276-23f4a1dee33f
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Create a custom configuration service provider
Mobile device OEMs can create custom configuration service providers to manage their devices. A configuration service provider includes an interface for creating, editing, and deleting nodes, and the nodes themselves. Each node contains data for one registry value and can optionally support get, set, and delete operations.
To design a custom configuration service provider, the OEM must perform the following steps:
1. Establish node semantics
2. Shape the configuration service provider's subtree
3. Choose a transactioning scheme for each node
4. Determine node operations
For more information, see [Designing a custom configuration service provider](design-a-custom-windows-csp.md).
To write a custom configuration service provider, the OEM must implement the following interfaces:
- [IConfigServiceProvider2](iconfigserviceprovider2.md) (one per configuration service provider)
- [ICSPNode](icspnode.md) (one per node)
- [ICSPNodeTransactioning](icspnodetransactioning.md) (optional, for internally transactioned nodes only)
- [ICSPValidate](icspvalidate.md) (optional, for UI only)
This code must be compiled into a single .dll file and added to a package by using the instructions found in "Adding content to a package" in [Creating packages](https://msdn.microsoft.com/en-us/library/windows/hardware/dn756642). While writing this code, OEMs can store registry settings and files in the following locations.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p><strong>File location</strong></p></td>
<td><p>%DataDrive%\SharedData\OEM\CSP\</p></td>
</tr>
<tr class="even">
<td><p><strong>Registry location</strong></p></td>
<td><p>$(HKLM.SOFTWARE)\OEM\CSP\</p></td>
</tr>
</tbody>
</table>
For examples of how to perform common tasks such as adding a node, replacing a node's value, querying a node's value, or enumerating a node's children, see [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md).
To register the configuration service provider as a COM object, you must add the following registry setting to your package. This step is required. In the following sample, replace *uniqueCSPguid* with a new, unique CLSID generated for this purpose. Replace *dllName* with the name of the .dll file that contains the code for your configuration service provider.
``` syntax
<RegKeys>
<RegKey KeyName="$(HKCR.CLASSES)\CLSID\{uniqueCSPguid}\InprocServer32">
<RegValue Name="@" Type="REG_SZ" Value="dllName.dll" />
</RegKey>
</RegKeys>
```
To register the configuration service provider with ConfigManager2, you must add the following registry setting to your package. This step is required. In the following sample, replace *dllName* with the name of the configuration service provider (the name of the root node). Replace *uniqueCSPguid* with the same *uniqueCSPguid* value as in the preceding example.
``` syntax
<RegKeys>
<RegKey KeyName="$(HKLM.SOFTWARE)\Microsoft\Provisioning\CSPs\.\Vendor\OEM\{Name}">
<RegValue Name="@" Value="{uniqueCSPguid}" Type="REG_SZ"/>
</RegKey>
</RegKeys>
```
To make the configuration service provider accessible from WAP XML, you must register it with the WAP data processing unit by setting the following registry key in your package. Replace *Name* with the name of the configuration service provider. Leave the GUID value exactly as written here.
``` syntax
<RegKeys>
<RegKey KeyName="$(HKLM.SOFTWARE)\Classes\Name">
<RegValue Name="WAPNodeProcessor" Value="{FB11047A-4051-4d1d-9DCA-C80C5DF98D70}"
Type="REG_SZ"/>
</RegKey>
</RegKeys>
```
 

109
windows/client-management/mdm/customdeviceui-csp.md Normal file
View File

@ -0,0 +1,109 @@
---
title: CustomDeviceUI CSP
description: CustomDeviceUI CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CustomDeviceUI CSP
The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
The following diagram shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
> **Note**  This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
![customdeviceui csp](images/provisioning-csp-customdeviceui.png)
<a href="" id="./Vendor/MSFT/CustomDeviceUI"></a>**./Vendor/MSFT/CustomDeviceUI**
The root node for the CustomDeviceUI configuration service provider. The supported operation is Get.
<a href="" id="StartupAppID"></a>**StartupAppID**
AppID string value is the default appid/AUMID to launch during startup. The supported operations are Get and Replace.
<a href="" id="BackgroundTasksToLaunch"></a>**BackgroundTasksToLaunch**
List of package names of background tasks that need to be launched on device startup. The supported operation is Get.
<a href="" id="BackgroundTasksToLaunch/BackgroundTaskPackageName"></a>**BackgroundTasksToLaunch/****_BackgroundTaskPackageName_**
Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace.
## SyncML examples
**Set StartupAppID**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CustomDeviceUI/StartupAppID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>DefaultApp_cw5n1h2txyewy!App</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
**Get all background tasks**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CustomDeviceUI/BackgroundTaskstoLaunch?list=Struct</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
**Add background task**
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CustomDeviceUI/BackgroundTaskstoLaunch/BackgroundService1_1.3.0.1_neutral__8wekyb3d8bbwe</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>0</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
 
 

149
windows/client-management/mdm/customdeviceui-ddf.md Normal file
View File

@ -0,0 +1,149 @@
---
title: CustomDeviceUI DDF
description: CustomDeviceUI DDF
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# CustomDeviceUI DDF
This topic shows the OMA DM device description framework (DDF) for the **CustomDeviceUI** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>CustomDeviceUI</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/CustomDeviceUI</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>StartupAppID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>AppID string value is the default appid/AUMID to launch during boot up </Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BackgroundTasksToLaunch</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>List of package names of background tasks that needs to be launched on boot.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Background Tasks to Launch</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single or multiple entry points</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>BackgroundTaskPackageName</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[CustomDeviceUI configuration service provider](customdeviceui-csp.md)
 
 

1151
windows/client-management/mdm/data-structures-windows-store-for-business.md Normal file
View File

File diff suppressed because it is too large Load Diff

328
windows/client-management/mdm/defender-csp.md Normal file
View File

@ -0,0 +1,328 @@
---
title: Defender CSP
description: Defender CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Defender CSP
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
The following image shows the Windows Defender configuration service provider in tree format
![defender csp diagram](images/provisioning-csp-defender.png)
<a href="" id="detections"></a>**Detections**
An interior node to group all threats detected by Windows Defender.
Supported operation is Get.
<a href="" id="detections-threatid"></a>**Detections/****_ThreatId_**
The ID of a threat that has been detected by Windows Defender.
Supported operation is Get.
<a href="" id="detections-threatid-name"></a>**Detections/*ThreatId*/Name**
The name of the specific threat.
The data type is a string.
Supported operation is Get.
<a href="" id="detections-threatid-url"></a>**Detections/*ThreatId*/URL**
URL link for additional threat information.
The data type is a string.
Supported operation is Get.
<a href="" id="detections-threatid-severity"></a>**Detections/*ThreatId*/Severity**
Threat severity ID.
The data type is a integer.
The following list shows the supported values:
- 0 = Unknown
- 1 = Low
- 2 = Moderate
- 4 = High
- 5 = Severe
Supported operation is Get.
<a href="" id="detections-threatid-category"></a>**Detections/*ThreatId*/Category**
Threat category ID.
The data type is a integer.
The following table describes the supported values:
| Value | Description |
|-------|-----------------------------|
| 0 | Invalid |
| 1 | Adware |
| 2 | Spyware |
| 3 | Password stealer |
| 4 | Trojan downloader |
| 5 | Worm |
| 6 | Backdoor |
| 7 | Remote access Trojan |
| 8 | Trojan |
| 9 | Email flooder |
| 10 | Keylogger |
| 11 | Dialer |
| 12 | Monitoring software |
| 13 | Browser modifier |
| 14 | Cookie |
| 15 | Browser plugin |
| 16 | AOL exploit |
| 17 | Nuker |
| 18 | Security disabler |
| 19 | Joke program |
| 20 | Hostile ActiveX control |
| 21 | Software bundler |
| 22 | Stealth modifier |
| 23 | Settings modifier |
| 24 | Toolbar |
| 25 | Remote control software |
| 26 | Trojan FTP |
| 27 | Potential unwanted software |
| 28 | ICQ exploit |
| 29 | Trojan telnet |
| 30 | Exploit |
| 31 | File sharing program |
| 32 | Malware creation tool |
| 33 | Remote control software |
| 34 | Tool |
| 36 | Trojan denial of service |
| 37 | Trojan dropper |
| 38 | Trojan mass mailer |
| 39 | Trojan monitoring software |
| 40 | Trojan proxy server |
| 42 | Virus |
| 43 | Known |
| 44 | Unknown |
| 45 | SPP |
| 46 | Behavior |
| 47 | Vulnerability |
| 48 | Policy |
 
Supported operation is Get.
<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
The data type is a integer.
The following list shows the supported values:
- 0 = Unknown
- 1 = Detected
- 2 = Cleaned
- 3 = Quarantined
- 4 = Removed
- 5 = Allowed
- 6 = Blocked
- 102 = Clean failed
- 103 = Quarantine failed
- 104 = Remove failed
- 105 = Allow failed
- 106 = Abandoned
- 107 = Block failed
Supported operation is Get.
<a href="" id="detections-threatid-executionstatus"></a>**Detections/*ThreatId*/ExecutionStatus**
Information about the execution status of the threat.
The data type is a integer.
Supported operation is Get.
<a href="" id="detections-threatid-initialdetectiontime"></a>**Detections/*ThreatId*/InitialDetectionTime**
The first time this particular threat was detected.
The data type is a string.
Supported operation is Get.
<a href="" id="detections-threatid-lastthreatstatuschangetime"></a>**Detections/*ThreatId*/LastThreatStatusChangeTime**
The last time this particular threat was changed.
The data type is a string.
Supported operation is Get.
<a href="" id="detections-threatid-numberofdetections"></a>**Detections/*ThreatId*/NumberOfDetections**
Number of times this threat has been detected on a particular client.
The data type is a integer.
Supported operation is Get.
<a href="" id="health"></a>**Health**
An interior node to group information about Windows Defender health status.
Supported operation is Get.
<a href="" id="health-computerstate"></a>**Health/ComputerState**
Provide the current state of the device.
The data type is a integer.
The following list shows the supported values:
- 0 = Clean
- 1 = Pending full scan
- 2 = Pending reboot
- 4 = Pending manual steps
- 8 = Pending offline scan
- 16 = Pending critical failure
Supported operation is Get.
<a href="" id="health-defenderenabled"></a>**Health/DefenderEnabled**
Indicates whether the Windows Defender service is running.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-rtpenabled"></a>**Health/RtpEnabled**
Indicates whether real-time protection is running.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-nisenabled"></a>**Health/NisEnabled**
Indicates whether network protection is running.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-quickscanoverdue"></a>**Health/QuickScanOverdue**
Indicates whether a Windows Defender quick scan is overdue for the device.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-fullscanoverdue"></a>**Health/FullScanOverdue**
Indicates whether a Windows Defender full scan is overdue for the device.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-signatureoutofdate"></a>**Health/SignatureOutOfDate**
Indicates whether the Windows Defender signature is outdated.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-rebootrequired"></a>**Health/RebootRequired**
Indicates whether a device reboot is needed.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-fullscanrequired"></a>**Health/FullScanRequired**
Indicates whether a Windows Defender full scan is required.
The data type is a boolean.
Supported operation is Get.
<a href="" id="health-engineversion"></a>**Health/EngineVersion**
Version number of the current Windows Defender engine on the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-signatureversion"></a>**Health/SignatureVersion**
Version number of the current Windows Defender signatures on the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-defenderversion"></a>**Health/DefenderVersion**
Version number of Windows Defender on the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-quickscantime"></a>**Health/QuickScanTime**
Time of the last Windows Defender quick scan of the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-fullscantime"></a>**Health/FullScanTime**
Time of the last Windows Defender full scan of the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-quickscansigversion"></a>**Health/QuickScanSigVersion**
Signature version used for the last quick scan of the device.
The data type is a string.
Supported operation is Get.
<a href="" id="health-fullscansigversion"></a>**Health/FullScanSigVersion**
Signature version used for the last full scan of the device.
The data type is a string.
Supported operation is Get.
<a href="" id="scan"></a>**Scan**
Node that can be used to start a Windows Defender scan on a device.
Valid values are:
- 1 - quick scan
- 2 - full scan
Supported operations are Get and Execute.
<a href="" id="updatesignature"></a>**UpdateSignature**
Node that can be used to perform signature updates for Windows Defender.
Supported operations are Get and Execute.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

674
windows/client-management/mdm/defender-ddf.md Normal file
View File

@ -0,0 +1,674 @@
---
title: Defender DDF file
description: Defender DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Defender DDF file
This topic shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Defender</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Detections</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ThreatId</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>URL</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Severity</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Category</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ExecutionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InitialDetectionTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LastThreatStatusChangeTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NumberOfDetections</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Health</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ComputerState</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DefenderEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RtpEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NisEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>QuickScanOverdue</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FullScanOverdue</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SignatureOutOfDate</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RebootRequired</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FullScanRequired</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EngineVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SignatureVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DefenderVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>QuickScanTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FullScanTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>QuickScanSigVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FullScanSigVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Scan</NodeName>
<DFProperties>
<AccessType>
<Exec />
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UpdateSignature</NodeName>
<DFProperties>
<AccessType>
<Exec />
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[Defender configuration service provider](defender-csp.md)
 
 

169
windows/client-management/mdm/design-a-custom-windows-csp.md Normal file
View File

@ -0,0 +1,169 @@
---
title: Design a custom configuration service provider
description: Design a custom configuration service provider
MS-HAID:
- 'p\_phDeviceMgmt.designing\_a\_custom\_configuration\_service\_provider'
- 'p\_phDeviceMgmt.design\_a\_custom\_windows\_csp'
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 0fff9516-a71a-4036-a57b-503ef1a81a37
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Design a custom configuration service provider
To design a custom configuration service provider, the OEM must perform the following steps:
1. Establish node semantics
2. Shape the configuration service provider's subtree
3. Choose a transactioning scheme for each node
4. Determine node operations
For more information about the larger process of writing a new configuration service provider, see [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md).
## Establish node semantics
First, determine the nodes you need based on the kind of data to be stored in the registry.
Nodes can represent anything from abstract concepts or collections (such as email accounts or connection settings) to more concrete objects (such as registry keys and values, directories, and files).
### Example
For example, a hypothetical Email configuration service provider might have these nodes:
- Account: The name of the email account (such as "Hotmail")
- Username: The user name or email address ("exampleAccount@hotmail.com")
- Password: The user's password
- Server: The DNS address of the server ("mail-serv1-example.mail.hotmail.com")
The `Account`, `Username`, and `Server` nodes would hold text-based information about the email account, the user's email address, and the server address associated with that account. The `Password` node, however, might hold a binary hash of the user's password.
## Shape the configuration service provider's subtree
After determining what the nodes represent, decide where each node fits in the settings hierarchy.
The root node of a configuration service provider's subtree must be the name of the configuration service provider. In this example, the root node is `Email`.
All of the nodes defined in the previous step must reside under the configuration service provider's root node. Leaf nodes should be used to store data, and interior nodes should be used to group the data into logical collections. Node URIs must be unique. In other words, no two nodes can have both the same parent and the same name.
There are three typical scenarios for grouping and structuring the nodes:
- If all of the data belongs to the same component and no further categorizing or grouping is required, you can build a flat tree in which all values are stored directly under the root node. For examples of this design, see [DevInfo configuration service provider](devinfo-csp.md), [HotSpot configuration service provider](hotspot-csp.md), and [w4 APPLICATION configuration service provider](w4-application-csp.md).
- If the configuration service provider's nodes represent a preexisting set of entities whose structure is well-defined (such as directories and files), the configuration service provider's nodes can simply mirror the existing structure.
- If the data must be grouped by type or component, a more complex structure is required. This is especially true when there can be multiple instances of the dataset on the device, and each set is indexed by an ID, account name, or account type. In this case, you must build a more complex tree structure. For examples, see [ActiveSync configuration service provider](activesync-csp.md), [CertificateStore configuration service provider](certificatestore-csp.md), and [CMPolicy configuration service provider](cmpolicy-csp.md).
### Example
The following image shows an incorrect way to structure the hypothetical `Email` configuration service provider. The interior `Account` nodes group the account data (server name, user name, and user password).
![provisioning\-customcsp\-example1](images/provisioning-customcsp-example1.png)
However, the account nodes in this design are not unique. Even though the nodes are grouped sensibly, the path for each of the leaf nodes is ambiguous. There is no way to disambiguate the two `Username` nodes, for example, or to reliably access the same node by using the same path. This structure will not work. The easiest solution to this problem is usually to replace an interior node (the grouping node) by:
1. Promoting a child node.
2. Using the node value as the name of the new interior node.
The following design conveys the same amount of information as the first design, but all nodes have a unique path, and therefore it will work.
![provisioning\-customcsp\-example2](images/provisioning-customcsp-example2.png)
In this case, the `Server` nodes have been promoted up one level to replace the `Account` nodes, and their values are now used as the node names. For example, you could have two different email accounts on the phone, with server names "www.hotmail.com" and "exchange.microsoft.com", each of which stores a user name and a password.
Note that the process of shaping the configuration service providers subtree influences the choice of transactioning schemes for each node. If possible, peer nodes should not have dependencies on each other. Internode dependencies other than parent/child relationships create mandatory groups of settings, which makes configuration service provider development more difficult.
## Choose a transactioning scheme for each node
For each node, decide whether to use *external transactioning* or *internal transactioning* to manage the transaction phases (rollback persistence, rollback, and commitment) for the node.
External transactioning is the simplest option because it allows ConfigManager2 to automatically handle the node's transactioning.
However, you must use internal transactioning for the following types of nodes:
- A node that supports the **Execute** method.
- A node that contains sensitive information (such as a password) that must not be saved in plain text in the ConfigManager2 rollback document.
- A node that has a dependency on another node that is not a parent. For example, if a parent node has two children that are both required, the configuration service provider could use internal transactioning to defer provisioning the account until both values are set.
You can choose to mix transactioning modes in your configuration service provider, using internal transactioning for some operations but external transactioning for others. For more information about writing an internally transactioned node, see the [ICSPNodeTransactioning](icspnodetransactioning.md) interface.
## Determine node operations
The operations available for each node can vary depending on the purpose of the configuration service provider. The configuration service provider will be easier to use if the operations are consistent. For more information about the supported operations, see the [ICSPNode](icspnode.md) interface.
For externally transactioned nodes, an operation implementation must include the contrary operations shown in the following table to allow rollback of the operation.
For internally transactioned nodes, the practice of implementing the contrary commands for each command is recommended, but not required.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Node operation</th>
<th>Contrary node operation</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Add</strong></p></td>
<td><p><strong>Clear</strong> and <strong>DeleteChild</strong></p></td>
</tr>
<tr class="even">
<td><p><strong>Copy</strong></p></td>
<td><p>To copy to a new node: <strong>Clear</strong> and <strong>DeleteChild</strong></p>
<p>To copy to an existing node: <strong>Add</strong> and <strong>SetValue</strong></p></td>
</tr>
<tr class="odd">
<td><p><strong>Clear</strong></p></td>
<td><p>To restore the state of the deleted node: <strong>SetValue</strong> and <strong>SetProperty</strong></p></td>
</tr>
<tr class="even">
<td><p><strong>DeleteChild</strong></p></td>
<td><p>To restore the old node: <strong>Add</strong></p></td>
</tr>
<tr class="odd">
<td><p><strong>DeleteProperty</strong></p></td>
<td><p>To restore the deleted property: <strong>SetProperty</strong></p></td>
</tr>
<tr class="even">
<td><p><strong>Execute</strong></p></td>
<td><p>Externally transactioned nodes do not support the <strong>Execute</strong> command.</p></td>
</tr>
<tr class="odd">
<td><p><strong>GetValue</strong></p></td>
<td><p>None</p></td>
</tr>
<tr class="even">
<td><p><strong>Move</strong></p></td>
<td><p>To restore a source node: <strong>Move</strong></p>
<p>To restore an overwritten target node: <strong>Add</strong> and <strong>SetValue</strong></p></td>
</tr>
<tr class="odd">
<td><p><strong>SetValue</strong></p></td>
<td><p>To restore the previous value: <strong>SetValue</strong></p></td>
</tr>
</tbody>
</table>
 
 

197
windows/client-management/mdm/devdetail-csp.md Normal file
View File

@ -0,0 +1,197 @@
---
title: DevDetail CSP
description: DevDetail CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DevDetail CSP
The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DevDetail CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
![devdetail csp (dm)](images/provisioning-csp-devdetail-dm.png)
<a href="" id="devtyp"></a>**DevTyp**
<p style="margin-left: 20px"><p style="margin-left: 20px">Required. Returns the device model name /SystemProductName as a string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="oem"></a>**OEM**
<p style="margin-left: 20px">Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="fwv"></a>**FwV**
<p style="margin-left: 20px">Required. Returns the firmware version, as defined in the registry key HKEY\_LOCAL\_MACHINE\\System\\Platform\\DeviceTargetingInfo\\PhoneFirmwareRevision.
<p style="margin-left: 20px">For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVersion.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="swv"></a>**SwV**
<p style="margin-left: 20px">Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="hwv"></a>**HwV**
<p style="margin-left: 20px">Required. Returns the hardware version, as defined in the registry key HKEY\_LOCAL\_MACHINE\\System\\Platform\\DeviceTargetingInfo\\PhoneRadioHardwareRevision.
<p style="margin-left: 20px">For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVersion.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="lrgobj"></a>**LrgObj**
<p style="margin-left: 20px">Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="uri-maxdepth"></a>**URI/MaxDepth**
<p style="margin-left: 20px">Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
<p style="margin-left: 20px">Supported operation is Get.
<p style="margin-left: 20px">This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
<a href="" id="uri-maxtotlen"></a>**URI/MaxTotLen**
<p style="margin-left: 20px">Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
<p style="margin-left: 20px">Supported operation is Get.
<p style="margin-left: 20px">This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
<a href="" id="uri-maxseglen"></a>**URI/MaxSegLen**
<p style="margin-left: 20px">Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
<p style="margin-left: 20px">Supported operation is Get.
<p style="margin-left: 20px">This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
<a href="" id="ext-microsoft-mobileid"></a>**Ext/Microsoft/MobileID**
<p style="margin-left: 20px">Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support.
<p style="margin-left: 20px">Supported operation is Get.
<p style="margin-left: 20px">The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
<a href="" id="ext-microsoft-localtime"></a>**Ext/Microsoft/LocalTime**
<p style="margin-left: 20px">Required. Returns the client local time in ISO 8601 format.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-osplatform"></a>**Ext/Microsoft/OSPlatform**
<p style="margin-left: 20px">Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-processortype"></a>**Ext/Microsoft/ProcessorType**
<p style="margin-left: 20px">Required. Returns the processor type of the device as documented in SYSTEM\_INFO.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-radioswv"></a>**Ext/Microsoft/RadioSwV**
<p style="margin-left: 20px">Required. Returns the radio stack software version number.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-resolution"></a>**Ext/Microsoft/Resolution**
<p style="margin-left: 20px">Required. Returns the UI screen resolution of the device (example: "480x800").
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-commercializationoperator"></a>**Ext/Microsoft/CommercializationOperator**
<p style="margin-left: 20px">Required. Returns the name of the mobile operator if it exists; otherwise it returns 404..
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-processorarchitecture"></a>**Ext/Microsoft/ProcessorArchitecture**
<p style="margin-left: 20px">Required. Returns the processor architecture of the device as "arm" or "x86".
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-microsoft-devicename"></a>**Ext/Microsoft/DeviceName**
<p style="margin-left: 20px">Required. Contains the user-specified device name.
<p style="margin-left: 20px">Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
<p style="margin-left: 20px">Value type is string.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
<p style="margin-left: 20px">Supported operation is Get.
> [!NOTE]
> This is only supported in Windows 10 Mobile.
<a href="" id="ext-microsoft-totalram"></a>**Ext/Microsoft/TotalRAM**
<p style="margin-left: 20px">Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="ext-wlanmacaddress"></a>**Ext/WLANMACAddress**
<p style="margin-left: 20px">The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
<p style="margin-left: 20px">Supported operation is Get.
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
<a href="" id="volteservicesetting"></a>**VoLTEServiceSetting**
<p style="margin-left: 20px">Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv4address"></a>**WlanIPv4Address**
<p style="margin-left: 20px">Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv6address"></a>**WlanIPv6Address**
<p style="margin-left: 20px">Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlandnssuffix"></a>**WlanDnsSuffix**
<p style="margin-left: 20px">Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlansubnetmask"></a>**WlanSubnetMask**
<p style="margin-left: 20px">Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="devicehardwaredata"></a>**DeviceHardwareData**
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
<p style="margin-left: 20px">Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

699
windows/client-management/mdm/devdetail-ddf-file.md Normal file
View File

@ -0,0 +1,699 @@
---
title: DevDetail DDF file
description: DevDetail DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DevDetail DDF file
This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC "-//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DevDetail</NodeName>
<Path>.</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName>urn:oma:mo:oma-dm-devdetail:1.1</DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>URI</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MaxDepth</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxTotLen</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxSegLen</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>DevTyp</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Device model name, as specified and tracked by the manufacturer</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>OEM</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Name of OEM</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FwV</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Provide the version of OEM ROM region.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SwV</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Returns the Windows Phone OS software version.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>HwV</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Returns the hardware version.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LrgObj</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>
Large object isn't supported. The data for this node is "false".
</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Ext</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Subtree to hold vendor-specific parameters</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Microsoft</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Subtree to hold vendor-specific parameters</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MobileID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Indicates the subscriber ID registered with the cellular network. For GSM and UMTS networks, the value returned is the IMSI value; for other networks, SyncML Status code 404 is returned.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RadioSwV</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Version of the software radio stack</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Resolution</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Resolution of the device in the format of WidthxLength (e.g., "400x800").</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CommercializationOperator</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Name of operator with whom the device was commercialized.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProcessorArchitecture</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Processor architecture of the device, as returned by the GetSystemInfo API.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProcessorType</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Processor type of the device, as returned by the GetSystemInfo API.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>OSPlatform</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Name of the operating system platform.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LocalTime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Returns the UTC time formatted per ISO8601. Example: 2003-06-16T18:37:44Z.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DeviceName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>User-specified device name</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TotalStorage</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Total available storage in MB from first internal drive on the device (may be less than total physical storage). Available for Windows Mobile only.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TotalRAM</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Total available memory in MB on the device (may be less than total physical memory).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>WLANMACAddress</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The MAC address of the active WiFi connection</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>VoLTEServiceSetting</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The VoLTE service setting on or off. Only exposed to Mobile Operator-based OMA-DM servers.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WlanIPv4Address</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The IPv4 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WlanIPv6Address</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The IPv6 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WlanDnsSuffix</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The DNS suffix of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WlanSubnetMask</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The subnet mask for the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DeviceHardwareData</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Added in Windows 10 version 1703. Returns a base64 encoded string of the hardware parameters of a device.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[DevDetail configuration service provider](devdetail-csp.md)
 
 

71
windows/client-management/mdm/developersetup-csp.md Normal file
View File

@ -0,0 +1,71 @@
---
title: DeveloperSetup CSP
description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the next major update of Windows 10.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid:
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeveloperSetup CSP
The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](https://msdn.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703.
> [!NOTE]
The DeveloperSetup configuration service provider (CSP) is supported only in Windows 10 Holographic Enterprise edition and is for provisioning only.
The following diagram shows the DeveloperSetup configuration service provider in tree format.
![developersetup csp diagram](images/provisioning-csp-developersetup.png)
<a href="" id="developersetup"></a>**DeveloperSetup**
<p style="margin-left: 20px">The root node for the DeveloperSetup configuration service provider.
<a href="" id="enabledevelopermode"></a>**EnableDeveloperMode**
<p style="margin-left: 20px">A Boolean value that is used to enable Developer Mode on the device. The default value is false.
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal"></a>**DevicePortal**
<p style="margin-left: 20px">The node for the Windows Device Portal.
<a href="" id="deviceportal-authentication"></a>**DevicePortal/Authentication**
<p style="margin-left: 20px">The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal.
<a href="" id="deviceportal-authentication-mode"></a>**DevicePortal/Authentication/Mode**
<p style="margin-left: 20px">An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal.
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal-authentication-basicauth"></a>**DevicePortal/Authentication/BasicAuth**
<p style="margin-left: 20px">The node that describes the credentials that are used for basic authentication with the Windows Device Portal.
<a href="" id="deviceportal-authentication-username"></a>**DevicePortal/Authentication/BasicAuth/Username**
<p style="margin-left: 20px">A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal.
The user name must contain only ASCII characters and cannot contain a colon (:).
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal-authentication-password"></a>**DevicePortal/Authentication/BasicAuth/Password**
<p style="margin-left: 20px">A string value that specifies the password to use when authenticating requests against the Windows Device Portal.
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal-connection"></a>**DevicePortal/Connection**
<p style="margin-left: 20px">The node for configuring connections to the Windows Device Portal service.
<a href="" id="deviceportal-connection-httpport"></a>**DevicePortal/Connection/HttpPort**
<p style="margin-left: 20px">An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service.
If authentication is enabled, **HttpPort** will redirect the user to the (required) **HttpsPort**.
<p style="margin-left: 20px">The only supported operation is Replace.
<a href="" id="deviceportal-connection-httpsport"></a>**DevicePortal/Connection/HttpsPort**
<p style="margin-left: 20px">An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service.
<p style="margin-left: 20px">The only supported operation is Replace.

301
windows/client-management/mdm/developersetup-ddf.md Normal file
View File

@ -0,0 +1,301 @@
---
title: DeveloperSetup DDF file
description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid:
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeveloperSetup DDF file
This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DeveloperSetup</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName>com.microsoft/1.0/MDM/DeveloperSetup</DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EnableDeveloperMode</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Enables developer mode on the device</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>EnableDeveloperMode</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePortal</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Authentication</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Specifies characteristics of the authentication mechanism used for the Windows Device Portal.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Authentication</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Mode</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Describes the mode of authentication used when making requests to the Device Portal.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Mode</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BasicAuth</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Describes credentials used for basic authentication</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>BasicAuth</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Username</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Describes the username to use when performing basic authentication with the Windows Device Portal</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Username</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Password</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Describes the password to use when authenticating requests against the Windows Device Portal</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Password</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Connection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Connection</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>HttpPort</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Configures the HTTP port for incoming connections to the Device Portal Service.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>HttpPort</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>HttpsPort</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Configures the HTTPS port for incoming connections to the Device Portal Service.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>HttpsPort</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

972
windows/client-management/mdm/device-update-management.md Normal file
View File

@ -0,0 +1,972 @@
---
title: Device update management
description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# Device update management
In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft Updates.
In particular, Windows 10 provides additional APIs to enable MDMs to:
- Ensure machines stay up-to-date by configuring Automatic Update policies.
- Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device.
- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up-to-date is a particular machine.
This topic provides MDM ISVs with the information they need to implement update management in Windows 10.
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
- Configure automatic update policies to ensure devices stay up-to-date.
- Get device compliance information (the list of updates that are needed but not yet installed).
- Specify a per-device update approval list, to ensure devices dont install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs.
The OMA DM APIs for specifying update approvals and getting compliance status reference updates using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the updates title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526707).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
The following diagram provides a conceptual overview of how this works:
![mobile device update management](images/mdm-update-sync.png)
The diagram can be roughly divided into three areas:
- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram).
- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram).
- The device gets updates from Microsoft Update using client/server protocol, but only downloads and installs updates that are both applicable to the device and approved by IT (right portion of the diagram).
## <a href="" id="gettingupdatemetadata"></a>Getting update metadata using the Server-Server sync protocol
The Microsoft Update Catalog is huge and contains many updates that are not needed by MDM-managed devices, including updates for legacy software (for example, updates to servers, down-level desktop operating systems, and legacy apps), and a large number of drivers. We recommend that the MDM use the Server-Server sync protocol to get update metadata for updates reported from the client.
This section describes how this is done. The following diagram shows the server-server sync protocol process.
![mdm server-server sync](images/deviceupdateprocess2.png)
MSDN provides much information about the Server-Server sync protocol. In particular:
- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https:<span></span>//fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
Some important highlights:
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](https://msdn.microsoft.com/library/dd304816.aspx) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
> **Note**  On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesnt affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number).
## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions
The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). Some of the key elements are described below:
- **UpdateID** The unique identifier for an update
- **RevisionNumber** Revision number for the update in case the update was modified.
- **CreationDate** the date on which this update was created.
- **UpdateType** The type of update which could include the following:
- **Detectoid** if this update identity represents a compatibility logic
- **Category** This could represent either of the following:
- A Product category the update belongs to. For example, Windows, MS office etc.
- The classification the update belongs to. For example, Drivers, security etc.
- **Software** If the update is a software update.
- **Driver** if the update is a driver update.
- **LocalizedProperties** represents the language the update is available in, title and description of the update. It has the following fields:
- **Language** The language code identifier (LCID). For example, en or es.
- **Title** Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)”
- **Description** Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you have installed this item, it cannot be removed.”
- **KBArticleID** The KB article number for this update that has details regarding the particular update. For example, <http://support.microsoft.com/kb/2902892>.
## <a href="" id="recommendedflow"></a>Recommended Flow for Using the Server-Server Sync Protocol
This section describes a possible algorithm for using the server-server sync protocol to pull in update metadata to the MDM.
First some background:
- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it is common to all tenants.
- A metadata sync service can then be implemented that periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client if those updates are not already known to the device.
The following procedure describes a basic algorithm for a metadata sync service:
- Initialization, composed of the following:
1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about 4 new definition updates per day, each of which is cumulative).
- Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you dont already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720)), and:
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- Remove updates from the "needed update IDs to fault in" list once they have been brought in.
This provides an efficient way to pull in the information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time you can pull information so IT can see what updates they are approving, or for compliance reports to see what updates are needed but not yet installed.
## <a href="" id="managingupdates"></a>Managing updates using OMA DM
An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented the [Mobile device management](mobile-device-enrollment.md) topic. This section focuses on how to extend that integration to support update management. The key aspects of update management include the following:
- Configure automatic update policies to ensure devices stay up-to-date.
- Get device compliance information (the list of updates that are needed but not yet installed)
- Specify a per-device update approval list to ensure devices dont install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs
The following list describes a suggested model for applying updates.
1. Have a "Test Group" and an "All Group".
2. In the Test group, just let all updates flow.
3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are availible. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues.
Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates.
### Update policies
The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following diagram shows the Update policies in a tree format.
![update csp diagram](images/update-policies.png)
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
<p style="margin-left: 20px">Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
<p style="margin-left: 20px">The default is 17 (5 PM).
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
<p style="margin-left: 20px">Supported values are 8-18.
<p style="margin-left: 20px">The default value is 18 (hours).
<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
<p style="margin-left: 20px">Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
<p style="margin-left: 20px">The default value is 8 (8 AM).
<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates.
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
 
<p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed or not configured.
- 1 Allowed. Accepts updates received through Microsoft Update.
<a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
<p style="margin-left: 20px">This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
<p style="margin-left: 20px">Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
<p style="margin-left: 20px">Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Update service is not allowed.
- 1 (default) Update service is allowed.
> [!NOTE]
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
<p style="margin-left: 20px">Supported values are 15, 30, 60, 120, and 240 (minutes).
<p style="margin-left: 20px">The default value is 15 (minutes).
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
<p style="margin-left: 20px">The following list shows the supported values:
- 1 (default) Auto Dismissal.
- 2 User Dismissal.
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
<p style="margin-left: 20px">The following list shows the supported values:
- 16 (default) User gets all applicable upgrades from Current Branch (CB).
- 32 User gets upgrades from Current Branch for Business (CBB).
<a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
<p style="margin-left: 20px">Supported values are 0-180.
<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
<p style="margin-left: 20px">Supported values are 0-30.
<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
<p style="margin-left: 20px">Allows IT Admins to specify update delays for up to 4 weeks.
<p style="margin-left: 20px">Supported values are 0-4, which refers to the number of weeks to defer updates.
<p style="margin-left: 20px">In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
- Update/RequireDeferUpgrade must be set to 1
- System/AllowTelemetry must be set to 1 or higher
<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<p style="margin-left: 20px">If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<table style="margin-left: 20px">
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Update category</th>
<th>Maximum deferral</th>
<th>Deferral increment</th>
<th>Update type/notes</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>OS upgrade</p></td>
<td style="vertical-align:top"><p>8 months</p></td>
<td style="vertical-align:top"><p>1 month</p></td>
<td style="vertical-align:top"><p>Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Update</p></td>
<td style="vertical-align:top"><p>1 month</p></td>
<td style="vertical-align:top"><p>1 week</p></td>
<td style="vertical-align:top"><div class="alert">
<strong>Note</strong>
If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
</div>
<ul>
<li>Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441</li>
<li>Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4</li>
<li>Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F</li>
<li>Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828</li>
<li>Tools - B4832BD8-E735-4761-8DAF-37F882276DAB</li>
<li>Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F</li>
<li>Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</li>
<li>Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</li>
</ul></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Other/cannot defer</p></td>
<td style="vertical-align:top"><p>No deferral</p></td>
<td style="vertical-align:top"><p>No deferral</p></td>
<td style="vertical-align:top"><p>Any update category not specifically enumerated above falls into this category.</p>
<p>Definition Update - E0789628-CE08-4437-BE74-2495B842F43B</p></td>
</tr>
</tbody>
</table>
<a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
<p style="margin-left: 20px">Allows IT Admins to specify additional upgrade delays for up to 8 months.
<p style="margin-left: 20px">Supported values are 0-8, which refers to the number of months to defer upgrades.
<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
<p style="margin-left: 20px">Supported values are 2-30 days.
<p style="margin-left: 20px">The default value is 0 days (not specified).
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
<p style="margin-left: 20px">Supported values are 1-3 days.
<p style="margin-left: 20px">The default value is 3 days.
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
<p style="margin-left: 20px">Supported values are 2-30 days.
<p style="margin-left: 20px">The default value is 7 days.
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Allow Windows Update drivers.
- 1 Exclude Windows Update drivers.
<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Do not ignore MO download limit for apps and their updates.
- 1 Ignore MO download limit (allow unlimited downloading) for apps and their updates.
<p style="margin-left: 20px">To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Do not ignore MO download limit for OS updates.
- 1 Ignore MO download limit (allow unlimited downloading) for OS updates.
<p style="margin-left: 20px">To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
<p style="margin-left: 20px">Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Deferrals are not paused.
- 1 Deferrals are paused.
<p style="margin-left: 20px">If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Feature Updates are not paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Quality Updates are not paused.
- 1 Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
<p style="margin-left: 20px">Allows the IT admin to set a device to CBB train.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) User gets upgrades from Current Branch.
- 1 User gets upgrades from Current Branch for Business.
<a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<br>
> [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
<p style="margin-left: 20px">Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 Not configured. The device installs all applicable updates.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
<p style="margin-left: 20px">Supported values are 15, 30, or 60 (minutes).
<p style="margin-left: 20px">The default value is 15 (minutes).
<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Enables the IT admin to schedule the day of the update installation.
<p style="margin-left: 20px">The data type is a string.
<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Every day
- 1 Sunday
- 2 Monday
- 3 Tuesday
- 4 Wednesday
- 5 Thursday
- 6 Friday
- 7 Saturday
<a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Enables the IT admin to schedule the time of the update installation.
<p style="margin-left: 20px">The data type is a string.
<p style="margin-left: 20px">Supported operations are Add, Delete, Get, and Replace.
<p style="margin-left: 20px">Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
<p style="margin-left: 20px">The default value is 3.
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
<p style="margin-left: 20px">Supported values are 2, 4, 8, 12, or 24 (hours).
<p style="margin-left: 20px">The default value is 4 (hours).
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Enabled
- 1 Disabled
<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise.
<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<p style="margin-left: 20px">The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
Example
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl</LocURI>
</Target>
<Data>http://abcd-srv:8530</Data>
</Item>
</Replace>
```
<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**
> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p style="margin-left: 20px">Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
<p style="margin-left: 20px">This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
<p style="margin-left: 20px">To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
<p style="margin-left: 20px">Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
![update csp diagram](images/provisioning-csp-update.png)
<a href="" id="update"></a>**Update**
The root node.
Supported operation is Get.
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
Node for update approvals and EULA acceptance on behalf of the end-user.
> **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> **Note**  For the Windows 10 build, the client may need to reboot after additional updates are added.
 
Supported operations are Get and Add.
<a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/****_Approved Update Guid_**
Specifies the update GUID.
To auto-approve a class of updates, you can specify the [Update Classifications](http://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
Supported operations are Get and Add.
Sample syncml:
```
<LocURI>./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d</LocURI>
```
<a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
Specifies the time the update gets approved.
Supported operations are Get and Add.
<a href="" id="failedupdates"></a>**FailedUpdates**
Specifies the approved updates that failed to install on a device.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/****_Failed Update Guid_**
Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
The update failure error code.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
Specifies the failed update status (for example, download, install).
Supported operation is Get.
<a href="" id="installedupdates"></a>**InstalledUpdates**
The updates that are installed on the device.
Supported operation is Get.
<a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/****_Installed Update Guid_**
UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
<a href="" id="installableupdates"></a>**InstallableUpdates**
The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/****_Installable Update Guid_**
Update identifiers that represent the updates applicable and not installed on a device.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
The UpdateClassification value of the update. Valid values are:
- 0 - None
- 1 - Security
- 2 = Critical
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
<a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
The updates that require a reboot to complete the update session.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/****_Pending Reboot Update Guid_**
Update identifiers for the pending reboot state.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
The time the update is installed.
Supported operation is Get.
<a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
The last successful scan time.
Supported operation is Get.
<a href="" id="deferupgrade"></a>**DeferUpgrade**
Upgrades deferred until the next period.
Supported operation is Get.
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). You should use these policies for the new Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
- Update/AllowMUUpdateService
- Update/BranchReadinessLevel
- Update/DeferFeatureUpdatePeriodInDays
- Update/DeferQualityUpdatePeriodInDays
- Update/ExcludeWUDriversInQualityUpdate
- Update/PauseFeatureUpdates
- Update/PauseQualityUpdates
Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>GPO key</th>
<th>Type</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>BranchReadinessLevel</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>16: systems take Feature Updates on the Current Branch (CB) train</p>
<p>32: systems take Feature Updates on the Current Branch for Business</p>
<p>Other value or absent: receive all applicable updates (CB)</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>DeferQualityUpdates</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: defer quality updates</p>
<p>Other value or absent: dont defer quality updates</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>DeferQualityUpdatesPeriodInDays</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>0-30: days to defer quality updates</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>PauseQualityUpdates</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: pause quality updates</p>
<p>Other value or absent: dont pause quality updates</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>DeferFeatureUpdates</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: defer feature updates</p>
<p>Other value or absent: dont defer feature updates</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>DeferFeatureUpdatesPeriodInDays</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>0-180: days to defer feature updates</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>PauseFeatureUpdates</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: pause feature updates</p>
<p>Other value or absent: dont pause feature updates</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>ExcludeWUDriversInQualityUpdate</p></td>
<td style="vertical-align:top"><p>REG_DWORD</p></td>
<td style="vertical-align:top"><p>1: exclude WU drivers</p>
<p>Other value or absent: offer WU drivers</p></td>
</tr>
</tbody>
</table>
 
Here is the list of older policies that are still supported for backward compatibility. You can use these for Windows 10, version 1511 devices.
- Update/RequireDeferUpgrade
- Update/DeferUpgradePeriod
- Update/DeferUpdatePeriod
- Update/PauseDeferrals
For Windows Update for Business, here is the list of supported policies on Windows 10 Mobile Enterprise:
- For Windows 10, version 1511 (Build 10586): Update/RequireDeferUpgrade, Update/DeferUpdatePeriod and Update/PauseDeferrals. To use DeferUpdatePeriod and PauseDeferrals the RequireDeferUpgrade has to be set to 1, which essentially means for a device running 1511, the Windows Update for Business policies can only be set when a device is configured for CBB servicing.
- For Windows 10, version 1607 (Build 14393): Update/BranchReadinessLevel, Update/DeferQualityUpdatesPeriodInDays and Update/PauseQualityUpdates. In 1607 we added support where you can configure Windows Update for Business policies when a device is configured for CB/CBB servicing.
> **Note**  
For policies supported for Windows Update for Business, when you set policies for both Windows 10, version 1607 and Windows 10, version 1511 running on 1607, then 1607 policies will be configured (1607 trumps 1511).
For policies supported for Windows Update for Business, when you set 1511 policies on a device running 1607, the you will get the expected behavior for 1511 policies.
 
## <a href="" id="userexperiencescreenshot"></a>Update management user experience screenshot
The following screenshots of the administrator console shows the list of update titles, approval status, and additional metadata fields.
![mdm update management screenshot](images/deviceupdatescreenshot1.png)
![mdm update managment metadata screenshot](images/deviceupdatescreenshot2.png)
## <a href="" id="syncmlexample"></a>SyncML example
Set auto update to notify and defer.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace xmlns="">
<CmdID>1</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/AllowUpdateService</LocURI>
</Target>
<Data>0</Data>
</Item>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade </LocURI>
</Target>
<Data>0</Data>
</Item>
<CmdID>3</CmdID>
<Item>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval </LocURI>
</Target>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Process flow diagram and screenshots of server sync process
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
![mdm device update management screenshot](images/deviceupdatescreenshot3.png)![mdm device update management screenshot](images/deviceupdatescreenshot4.png)![mdm device update management screenshot](images/deviceupdatescreenshot5.png)![mdm device update management screenshot](images/deviceupdatescreenshot6.png)![mdm device update management screenshot](images/deviceupdatescreenshot7.png)![mdm device update management screenshot](images/deviceupdatescreenshot8.png)![mdm device update management screenshot](images/deviceupdatescreenshot9.png)
 

121
windows/client-management/mdm/deviceinstanceservice-csp.md Normal file
View File

@ -0,0 +1,121 @@
---
title: DeviceInstanceService CSP
description: DeviceInstanceService CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceInstanceService CSP
The DeviceInstanceService configuration service provider provides some device inventory information that could be useful for an enterprise. Additionally, this CSP supports querying two different phone numbers in the case of dual SIM. The URIs for SIM 1 and SIM 2 are ./Vendor/MSFT/DeviceInstanceService/Identity/Identity1 and ./Vendor/MSFT/DeviceInstanceService/Identity/Identity2 respectively.
> **Note**  
Stop using DeviceInstanceService CSP and use the updated [DeviceStatus CSP](devicestatus-csp.md) instead.
The DeviceInstance CSP is only supported in Windows 10 Mobile.
 
The following diagram shows the DeviceInstanceService configuration service provider in tree format.
![provisioning\-csp\-deviceinstanceservice](images/provisioning-csp-deviceinstanceservice.png)
<a href="" id="roaming"></a>**Roaming**
A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
Supported operation is **Get**.
Returns **True** if the device is roaming; otherwise **False**.
<a href="" id="phonenumber"></a>**PhoneNumber**
A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imei"></a>**IMEI**
A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imsi"></a>**IMSI**
A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="identity"></a>**Identity**
The parent node to group per SIM specific information in case of dual SIM mode.
<a href="" id="identity1"></a>**Identity1**
The parent node to group SIM1 specific information in case of dual SIM mode.
<a href="" id="identity2"></a>**Identity2**
The parent node to group SIM2 specific information in case of dual SIM mode.
## Examples
The following sample shows how to query roaming status and phone number on the device.
``` syntax
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DeviceInstanceService/Roaming</LocURI>
</Target>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DeviceInstanceService/PhoneNumber</LocURI>
</Target>
</Item>
</Get>
```
Response from the phone.
``` syntax
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source><LocURI>./Vendor/MSFT/DeviceInstanceService/Roaming</LocURI></Source>
<Meta><Format xmlns="syncml:metinf">bool</Format></Meta>
<Data>false</Data>
</Item>
<Item>
<Source><LocURI>./Vendor/MSFT/DeviceInstanceService/PhoneNumber</LocURI></Source>
<Data>+14254458055</Data>
</Item>
</Results>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

294
windows/client-management/mdm/devicelock-csp.md Normal file
View File

@ -0,0 +1,294 @@
---
title: DeviceLock CSP
description: DeviceLock CSP
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceLock CSP
The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server.
> **Note**   The DeviceLock CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future.
 
The DevicePasswordEnabled setting must be set to 0 (device password is enabled) for the following settings to take effect:
- AllowSimpleDevicePassword
- MinDevicePasswordLength
- AlphanumericDevicePasswordRequired
- MaxDevicePasswordFailedAttempts
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
The following image shows the DeviceLock configuration service provider in tree format.
![devicelock csp](images/provisioning-csp-devicelock.png)
<a href="" id="provider"></a>**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
<a href="" id="---------------providerid"></a> ***ProviderID***
Optional. The node that contains the configured management server's ProviderID. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one *ProviderID* node. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
- **Add** - Add the management account to the configuration service provider tree.
- **Delete** - Delete all policies set by this account. This command could be used in enterprise unenrollment for removing policy values set by the enterprise management server.
- **Get** - Return all policies set by the management server.
> **Note**   The value cannot be changed after it is added. The **Replace** command isn't supported.
 
<a href="" id="providerid-devicepasswordenabled"></a>***ProviderID*/DevicePasswordEnabled**
Optional. An integer value that specifies whether device lock is enabled. Possible values are one of the following:
- 0 - Device lock is enabled.
- 1 (default) - Device lock not enabled.
The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-allowsimpledevicepassword"></a>***ProviderID*/AllowSimpleDevicePassword**
Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values for this node are one of the following:
- 0 - Not allowed.
- 1 (default) - Allowed.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-mindevicepasswordlength"></a>***ProviderID*/MinDevicePasswordLength**
Optional. An integer value that specifies the minimum number of characters required in the PIN. Valid values are 4 to 18 inclusive. The default value is 4. Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-alphanumericdevicepasswordrequired"></a>***ProviderID*/AlphanumericDevicePasswordRequired**
Optional. An integer value that specifies the complexity of the password or PIN allowed.
Valid values are one of the following:
- 0 - Alphanumeric password required
- 1 - Users can choose a numeric or alphanumeric password
- 2 - Users can choose no password, numeric password, or alphanumeric password
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-devicepasswordexpiration"></a>***ProviderID*/DevicePasswordExpiration**
Deprecated in Windows 10.
<a href="" id="providerid-devicepasswordhistory"></a>***ProviderID*/DevicePasswordHistory**
Deprecated in Windows 10.
<a href="" id="providerid-maxdevicepasswordfailedattempts"></a>***ProviderID*/MaxDevicePasswordFailedAttempts**
Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device will not be wiped regardless of the number of authentication failures.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-maxinactivitytimedevicelock"></a>***ProviderID*/MaxInactivityTimeDeviceLock**
Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it is password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="providerid-mindevicepasswordcomplexcharacters"></a>***ProviderID*/MinDevicePasswordComplexCharacters**
Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 4 for mobile and 1 to 3 for desktop. The default value is 1.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="devicevalue"></a>**DeviceValue**
Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are actually applied to the device. The scope is permanent.
Supported operation is Get.
<a href="" id="devicevalue-devicepasswordenable-----mindevicepasswordcomplexcharacters"></a>**DeviceValue/DevicePasswordEnable, …, MinDevicePasswordComplexCharacters**
Required. This node has the same set of policy nodes as the **ProviderID** node. All nodes under **DeviceValue** are read-only permanent nodes. Each node represents the current device lock policy. For detailed descriptions of each policy, see the ***ProviderID*** subnode descriptions.
## OMA DM examples
Set device lock policies:
``` syntax
<Atomic>
<CmdID>13</CmdID>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MaxDevicePasswordFailedAttempts
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>4</Data>
</Item>
</Add>
<Add>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordEnabled</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Add>
<Add>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/AllowSimpleDevicePassword
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>5</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MinDevicePasswordLength
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>5</Data>
</Item>
</Add>
<Add>
<CmdID>6</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/AlphanumericDevicePasswordRequired
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>7</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordExpiration
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>8</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordHistory
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>50</Data>
</Item>
</Add>
<Add>
<CmdID>9</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MaxInactivityTimeDeviceLock
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>10</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MinDevicePasswordComplexCharacters
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
</Atomic>
```
## Remarks
All node values under the **ProviderID** interior node represent the policy values set by the management server.
- An **Add** or **Replace** command on those nodes returns success in the following cases:
- The value is actually applied to the device.
- The value isn't applied to the device because the device has a more secure value set already.
From a security perspective, the device complies with the policy request that is at least as secure as the one requested.
- A **Get** command on those nodes returns the value the server pushes down to the device.
- If a **Replace** command fails, the node value is set back to the value that was to be replaced.
- If an **Add** command fails, the node is not created.
The value applied to the device can be queried via the nodes under the **DeviceValue** interior node.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

513
windows/client-management/mdm/devicelock-ddf-file.md Normal file
View File

@ -0,0 +1,513 @@
---
title: DeviceLock DDF file
description: DeviceLock DDF file
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceLock DDF file
This topic shows the OMA DM device description framework (DDF) for the **DeviceLock** configuration service provider. DDF files are used only with OMA DM provisioning XML.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC "-//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree>
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DeviceLock</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName>com.microsoft/1.0/WindowsPhone/DeviceLock </DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Provider</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DevicePasswordEnabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowSimpleDevicePassword</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MinDevicePasswordLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>4</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AlphanumericDevicePasswordRequired</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>2</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePasswordExpiration</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePasswordHistory</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxDevicePasswordFailedAttempts</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxInactivityTimeDeviceLock</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MinDevicePasswordComplexCharacters</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>DeviceValue</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DevicePasswordEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowSimpleDevicePassword</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MinDevicePasswordLength</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AlphanumericDevicePasswordRequired</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePasswordExpiration</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DevicePasswordHistory</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxDevicePasswordFailedAttempts</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxInactivityTimeDeviceLock</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MinDevicePasswordComplexCharacters</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[DeviceLock configuration service provider](devicelock-csp.md)
 
 

45
windows/client-management/mdm/devicemanageability-csp.md Normal file
View File

@ -0,0 +1,45 @@
---
title: DeviceManageability CSP
description: The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceManageability CSP
The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
The following diagram shows the DeviceManageability configuration service provider in a tree format.
![devicemanageability csp diagram](images/provisioning-csp-devicemanageability.png)
<a href="" id="--device-vendor-msft-devicemanageability"></a>**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
<a href="" id="capabilities"></a>**Capabilities**
Interior node.
<a href="" id="capabilities-cspversions"></a>**Capabilities/CSPVersions**
Returns the versions of all configuration service providers supported on the device for the MDM service.
 
 

108
windows/client-management/mdm/devicemanageability-ddf.md Normal file
View File

@ -0,0 +1,108 @@
---
title: DeviceManageability DDF
description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: D7FA8D51-95ED-40D2-AA84-DCC4BBC393AB
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceManageability DDF
This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DeviceManageability</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/DeviceManageability</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Capabilities</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CSPVersions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Returns the versions of all configuration service providers (CSP) for MDM. </Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

241
windows/client-management/mdm/devicestatus-csp.md Normal file
View File

@ -0,0 +1,241 @@
---
title: DeviceStatus CSP
description: The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceStatus CSP
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
The following image shows the DeviceStatus configuration service provider in tree format.
![devicestatus csp](images/provisioning-csp-devicestatus.png)
<a href="" id="devicestatus"></a>**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following:
- 0 - Not supported
- 1 - Enabled
- 2 - Disabled
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities"></a>**DeviceStatus/CellularIdentities**
Required. Node for queries on the SIM cards.
> **Note**  Multiple SIMs are supported.
 
<a href="" id="devicestatus-cellularidentities-imei"></a>**DeviceStatus/CellularIdentities/****_IMEI_**
The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
<a href="" id="devicestatus-cellularidentities-imei-imsi"></a>**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-iccid"></a>**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-phonenumber"></a>**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
Phone number associated with the specific IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-commercializationoperator"></a>**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
The mobile service provider or mobile operator associated with the specific IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-roamingstatus"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
Indicates whether the SIM card associated with the specific IMEI number is roaming.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-roamingcompliance"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
Boolean value that indicates compliance with the enforced enterprise roaming policy.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers"></a>**DeviceStatus/NetworkIdentifiers**
Node for queries on network and device properties.
<a href="" id="devicestatus-networkidentifiers-macaddress"></a>**DeviceStatus/NetworkIdentifiers/****_MacAddress_**
MAC address of the wireless network card. A MAC address is present for each network card on the device.
<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv4"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
IPv4 address of the network card associated with the MAC address.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv6"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
IPv6 address of the network card associated with the MAC address.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-isconnected"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following:
- 2 - WLAN (or other Wireless interface)
- 1 - LAN (or other Wired interface)
- 0 - Unknown
Supported operation is Get.
<a href="" id="devicestatus-compliance"></a>**DeviceStatus/Compliance**
Node for the compliance query.
<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy. The value is one of the following:
- 0 - not encrypted
- 1 - encrypted
Supported operation is Get.
<a href="" id="devicestatus-tpm"></a>**DeviceStatus/TPM**
Added in , version 1607. Node for the TPM query.
Supported operation is Get.
<a href="" id="devicestatus-tpm-specificationversion"></a>**DeviceStatus/TPM/SpecificationVersion**
Added in , version 1607. String that specifies the specification version.
Supported operation is Get.
<a href="" id="devicestatus-os"></a>**DeviceStatus/OS**
Added in , version 1607. Node for the OS query.
Supported operation is Get.
<a href="" id="devicestatus-os-edition"></a>**DeviceStatus/OS/Edition**
Added in , version 1607. String that specifies the OS edition.
Supported operation is Get.
<a href="" id="devicestatus-antivirus"></a>**DeviceStatus/Antivirus**
Added in , version 1607. Node for the antivirus query.
Supported operation is Get.
<a href="" id="devicestatus-antivirus-signaturestatus"></a>**DeviceStatus/Antivirus/SignatureStatus**
Added in , version 1607. Integer that specifies the status of the antivirus signature.
Valid values:
- 0 - The security software reports that it is not the most recent version.
- 1 (default) - The security software reports that it is the most recent version.
- 2 Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
Supported operation is Get.
<a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**
Added in , version 1607. Integer that specifies the status of the antivirus.
Valid values:
- 0 Antivirus is on and monitoring
- 1 Antivirus is disabled
- 2 Antivirus is not monitoring the device/PC or some options have been turned off
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC
- 4 Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
Supported operation is Get.
<a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**
Added in , version 1607. Node for the antispyware query.
Supported operation is Get.
<a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**
Added in , version 1607. Integer that specifies the status of the antispyware signature.
Supported operation is Get.
<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
Added in , version 1607. Integer that specifies the status of the antispyware.
Supported operation is Get.
<a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**
Added in , version 1607. Node for the firewall query.
Supported operation is Get.
<a href="" id="devicestatus-firewall-status"></a>**DeviceStatus/Firewall/Status**
Added in , version 1607. Integer that specifies the status of the firewall.
Valid values:
- 0 Firewall is on and monitoring
- 1 Firewall has been disabled
- 2 Firewall is not monitoring all networks or some rules have been turned off
- 3 (default) Firewall is temporarily not monitoring all networks
- 4 Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesnt exist.)
Supported operation is Get.
<a href="" id="devicestatus-uac"></a>**DeviceStatus/UAC**
Added in , version 1607. Node for the UAC query.
Supported operation is Get.
<a href="" id="devicestatus-uac-status"></a>**DeviceStatus/UAC/Status**
Added in , version 1607. Integer that specifies the status of the UAC.
Supported operation is Get.
<a href="" id="devicestatus-battery"></a>**DeviceStatus/Battery**
Added in , version 1607. Node for the battery query.
Supported operation is Get.
<a href="" id="devicestatus-battery-status"></a>**DeviceStatus/Battery/Status**
Added in , version 1607. Integer that specifies the status of the battery
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**
Added in , version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**
Added in , version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
 
 

778
windows/client-management/mdm/devicestatus-ddf.md Normal file
View File

@ -0,0 +1,778 @@
---
title: DeviceStatus DDF
description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML.
MSHAttr:
- 'PreferredSiteName:MSDN'
- 'PreferredLib:/library/windows/hardware'
ms.assetid: 780DC6B4-48A5-4F74-9F2E-6E0D88902A45
ms.author: windows-hardware-design-content
ms.date: 05/02/2017
ms.topic: article
ms.prod: windows-hardware
ms.technology: windows-oem
---
# DeviceStatus DDF
This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DeviceStatus</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.2/MDM/DeviceStatus</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>SecureBootState</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CellularIdentities</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>IMEI</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>IMSI</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ICCID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PhoneNumber</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CommercializationOperator</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RoamingStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RoamingCompliance</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>NetworkIdentifiers</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>MacAddress</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>IPAddressV4</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IPAddressV6</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsConnected</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Type</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Compliance</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EncryptionCompliance</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>TPM</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SpecificationVersion</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>Not available</DefaultValue>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>OS</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Edition</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>Not available</DefaultValue>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Antivirus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SignatureStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>3</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Antispyware</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SignatureStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>1</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>3</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Firewall</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>3</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>UAC</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Battery</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EstimatedChargeRemaining</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EstimatedRuntime</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

Some files were not shown because too many files have changed in this diff Show More