From 294a18829bb7d88fb88747bd2b4bd8c973245f4b Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Mon, 4 May 2020 17:03:23 -0700 Subject: [PATCH] removed unecessary code --- .../mdm/enterprisedataprotection-csp.md | 91 +++++++++---------- 1 file changed, 45 insertions(+), 46 deletions(-) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index f1b700570f..087a86e9a8 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -34,82 +34,82 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format. ![enterprisedataprotection csp diagram](images/provisioning-csp-enterprisedataprotection.png) **./Device/Vendor/MSFT/EnterpriseDataProtection** -

The root node for the CSP. +The root node for the CSP. **Settings** -

The root node for the Windows Information Protection (WIP) configuration settings. +The root node for the Windows Information Protection (WIP) configuration settings. **Settings/EDPEnforcementLevel** -

Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. +Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. -

The following list shows the supported values: +The following list shows the supported values: - 0 (default) – Off / No protection (decrypts previously protected data). - 1 – Silent mode (encrypt and audit only). - 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). - 3 – Hides overrides (encrypt, prompt but hide overrides, and audit). -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames** -

A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. +A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. -

Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. +Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. > [!Note] > The client requires domain name to be canonical, otherwise the setting will be rejected by the client. -

Here are the steps to create canonical domain names: +Here are the steps to create canonical domain names: 1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). -

Supported operations are Add, Get, Replace, and Delete. Value type is string. +Supported operations are Add, Get, Replace, and Delete. Value type is string. **Settings/AllowUserDecryption** -

Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. +Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. > [!IMPORTANT] > Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. -

The following list shows the supported values: +The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -

Most restricted value is 0. +Most restricted value is 0. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RequireProtectionUnderLockConfig** -

Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. +Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. -

The following list shows the supported values: +The following list shows the supported values: - 0 (default) – Not required. - 1 – Required. -

Most restricted value is 1. +Most restricted value is 1. -

The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. +The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. > [!Note] > This setting is only supported in Windows 10 Mobile. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/DataRecoveryCertificate** -

Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. +Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. > [!Note] > If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced. -

DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. +DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. The binary blob is the serialized version of following structure: ``` syntax @@ -234,60 +234,59 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { ``` -

For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. +For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. -

Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. +Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. **Settings/RevokeOnUnenroll** -

This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. +This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. -

The following list shows the supported values: +The following list shows the supported values: - 0 – Don't revoke keys. - 1 (default) – Revoke keys. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** -

Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. +Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. - 0 - Don't revoke keys - 1 (default) - Revoke keys -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RMSTemplateIDForEDP** -

TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. +TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. -

Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID). +Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID). **Settings/AllowAzureRMSForEDP** -

Specifies whether to allow Azure RMS encryption for WIP. +Specifies whether to allow Azure RMS encryption for WIP. - 0 (default) – Don't use RMS. - 1 – Use RMS. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -

Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. -

When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. -

Supported operations are Add, Get, Replace and Delete. Value type is string. +Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. +When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. +Supported operations are Add, Get, Replace and Delete. Value type is string. **Settings/EDPShowIcons** -

Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. - -

The following list shows the supported values: +Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. +The following list shows the supported values: - 0 (default) - No WIP overlays on icons or tiles. - 1 - Show WIP overlays on protected files and apps that can only create enterprise content. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Status** -

A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. +A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. -

Suggested values: +Suggested values: @@ -322,13 +321,13 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { -

Bit 0 indicates whether WIP is on or off. +Bit 0 indicates whether WIP is on or off. -

Bit 1 indicates whether AppLocker WIP policies are set. +Bit 1 indicates whether AppLocker WIP policies are set. -

Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). +Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). -

Here's the list of mandatory WIP policies: +Here's the list of mandatory WIP policies: - EDPEnforcementLevel in EnterpriseDataProtection CSP - DataRecoveryCertificate in EnterpriseDataProtection CSP @@ -336,9 +335,9 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { - NetworkIsolation/EnterpriseIPRange in Policy CSP - NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP -

Bits 2 and 4 are reserved for future use. +Bits 2 and 4 are reserved for future use. -

Supported operation is Get. Value type is integer. +Supported operation is Get. Value type is integer.