deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Acrolinx enhancement effort

Browse Source
This commit is contained in:
Siddarth Mandalika 2022-03-03 15:32:52 +05:30
parent 73ca4833c0
commit 2c61d93030
7 changed files with 106 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/client-management/mdm/nap-csp.md
View File

@ -19,9 +19,9 @@ The NAP (Network Access Point) Configuration Service Provider is used to manage
> [!Note] > [!Note]
> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application. > This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
For the NAP CSP, you cannot use the Replace command unless the node already exists. For the NAP CSP, you can't use the Replace command unless the node already exists.
The following shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. The following example shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
```console ```console
./Vendor/MSFT ./Vendor/MSFT
@ -67,7 +67,7 @@ Root node.
<a href="" id="napx"></a>***NAPX*** <a href="" id="napx"></a>***NAPX***
Required. Defines the name of the network access point. Required. Defines the name of the network access point.
It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead).
<a href="" id="napx-napid"></a>***NAPX*/NAPID** <a href="" id="napx-napid"></a>***NAPX*/NAPID**
Required. Specifies the identifier of the destination network. Required. Specifies the identifier of the destination network.
@ -105,13 +105,13 @@ Optional. Specifies the user name and domain to be used during authentication. T
<a href="" id="napx-authinfo-authsecret"></a>***NAPX*/AuthInfo/AuthSecret** <a href="" id="napx-authinfo-authsecret"></a>***NAPX*/AuthInfo/AuthSecret**
Optional. Specifies the password used during authentication. Optional. Specifies the password used during authentication.
Queries of this field will return a string composed of sixteen asterisks (\*). Queries of this field will return a string composed of 16 asterisks (\*).
<a href="" id="napx-bearer"></a>***NAPX*/Bearer** <a href="" id="napx-bearer"></a>***NAPX*/Bearer**
Node. Node.
<a href="" id="napx-bearer-bearertype"></a>***NAPX*/Bearer/BearerType** <a href="" id="napx-bearer-bearertype"></a>***NAPX*/Bearer/BearerType**
Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi. Required. Specifies the network type of the destination network. This parameter's value can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
## Related articles ## Related articles

16
windows/client-management/mdm/napdef-csp.md
View File

@ -21,7 +21,7 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
> >
> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application. > This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol isn't supported by this configuration service provider.
```console ```console
NAPDEF NAPDEF
@ -39,7 +39,7 @@ NAPDEF
----NAPID ----NAPID
``` ```
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol isn't supported by this configuration service provider.
```console ```console
NAPDEF NAPDEF
@ -74,7 +74,7 @@ Specifies the protocol used to authenticate the user.
The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note
> [!Note] > [!Note]
> **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change. > **AuthName** and **AuthSecret** are not created if **AuthType** isn't included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** isn't included in the provisioning XML used to make the change.
<a href="" id="bearer"></a>**BEARER** <a href="" id="bearer"></a>**BEARER**
Specifies the type of bearer. Specifies the type of bearer.
@ -82,11 +82,11 @@ Specifies the type of bearer.
Only Global System for Mobile Communication (GSM) and GSM-General Packet Radio Services (GPRS) are supported. Only Global System for Mobile Communication (GSM) and GSM-General Packet Radio Services (GPRS) are supported.
<a href="" id="internet"></a>**INTERNET** <a href="" id="internet"></a>**INTERNET**
Optional. Specifies whether this is an AlwaysOn connection. Optional. Specifies whether this connection is an AlwaysOn connection.
If **INTERNET** exists, the connection is an AlwaysOn connection and does not require a connection manager policy. If **INTERNET** exists, the connection is an AlwaysOn connection and doesn't require a connection manager policy.
If **INTERNET** does not exist, the connection is not an AlwaysOn connection and the connection requires a connection manager connection policy to be set. If **INTERNET** doesn't exist, the connection isn't an AlwaysOn connection and the connection requires a connection manager connection policy to be set.
<a href="" id="local-addr"></a>**LOCAL-ADDR** <a href="" id="local-addr"></a>**LOCAL-ADDR**
Required for GPRS. Specifies the local address of the WAP client for GPRS access points. Required for GPRS. Specifies the local address of the WAP client for GPRS access points.
@ -115,7 +115,7 @@ The maximum length of the **NAPID** value is 16 characters.
<a href="" id="napid"></a>***NAPID*** <a href="" id="napid"></a>***NAPID***
Required for bootstrapping updating. Defines the name of the NAP. Required for bootstrapping updating. Defines the name of the NAP.
The name of the *NAPID* element is the same as the value passed during initial bootstrapping. In addition, the Microsoft format for NAPDEF contains the provisioning XML attribute mwid. This custom attribute is optional when adding a NAP or a proxy. It is required for *NAPID* when updating and deleting existing NAPs and proxies and must have its value set to 1. The name of the *NAPID* element is the same as the value passed during initial bootstrapping. In addition, the Microsoft format for NAPDEF contains the provisioning XML attribute mwid. This custom attribute is optional when adding a NAP or a proxy. It's required for *NAPID* when updating and deleting existing NAPs and proxies and must have its value set to 1.
## Microsoft Custom Elements ## Microsoft Custom Elements
@ -123,7 +123,7 @@ The following table shows the Microsoft custom elements that this configuration
|Elements|Available| |Elements|Available|
|--- |--- | |--- |--- |
|Parm-query|Yes <br>Note that some GPRS parameters will not necessarily contain the exact same value as was set.| |Parm-query|Yes <br>Some GPRS parameters won't necessarily contain the exact same value as was set.|
|Noparm|Yes| |Noparm|Yes|
|Nocharacteristic|Yes| |Nocharacteristic|Yes|
|Characteristic-query|Yes| |Characteristic-query|Yes|

4
windows/client-management/mdm/networkqospolicy-csp.md
View File

@ -1,6 +1,6 @@
--- ---
title: NetworkQoSPolicy CSP title: NetworkQoSPolicy CSP
description: he NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. description: The NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703.
ms.author: dansimp ms.author: dansimp
ms.topic: article ms.topic: article
ms.prod: w10 ms.prod: w10
@ -31,7 +31,7 @@ The following actions are supported:
> >
> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004. > The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004.
The following shows the NetworkQoSPolicy configuration service provider in tree format. The following example shows the NetworkQoSPolicy configuration service provider in tree format.
``` ```
./Device/Vendor/MSFT ./Device/Vendor/MSFT
NetworkQoSPolicy NetworkQoSPolicy

52
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -20,7 +20,7 @@ ms.date: 10/20/2020
This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions.
For details about Microsoft mobile device management protocols for Windows 10 and Windows 11 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
## Whats new in MDM for Windows 11, version 21H2 ## Whats new in MDM for Windows 11, version 21H2
@ -35,15 +35,15 @@ For details about Microsoft mobile device management protocols for Windows 10 a
### Get command inside an atomic command is not supported ### Get command inside an atomic command is not supported
In Windows 10 and Windows 11, a Get command inside an atomic command is not supported. In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported.
### Apps installed using WMI classes are not removed ### Apps installed using WMI classes are not removed
Applications installed using WMI classes are not removed when the MDM account is removed from device. Applications installed using WMI classes aren't removed when the MDM account is removed from device.
### Passing CDATA in SyncML does not work ### Passing CDATA in SyncML does not work
Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10 and Windows 11. Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11.
### SSL settings in IIS server for SCEP must be set to "Ignore" ### SSL settings in IIS server for SCEP must be set to "Ignore"
@ -53,7 +53,7 @@ The certificate setting under "SSL Settings" in the IIS server for SCEP must be
### MDM enrollment fails on the Windows device when traffic is going through proxy ### MDM enrollment fails on the Windows device when traffic is going through proxy
When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network. When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network.
### Server-initiated unenrollment failure ### Server-initiated unenrollment failure
@ -63,26 +63,26 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act
### Certificates causing issues with Wi-Fi and VPN ### Certificates causing issues with Wi-Fi and VPN
In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue.
### Version information for Windows 11 ### Version information for Windows 11
The software version information from **DevDetail/Ext/Microsoft/OSPlatform** does not match the version in **Settings** under **System/About**. The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**.
### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11 ### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11
In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate.
Enterprises deploying certificate based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as: Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as:
- The user may be prompted to select the certificate. - The user may be prompted to select the certificate.
- The wrong certificate may get auto selected and cause an authentication failure. - The wrong certificate may get auto selected and cause an authentication failure.
A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
- For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile. - For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. - For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>. For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
@ -98,14 +98,14 @@ The following list describes the prerequisites for a certificate to be used with
- The certificate must have at least one of the following EKU (Extended Key Usage) properties: - The certificate must have at least one of the following EKU (Extended Key Usage) properties:
- Client Authentication. - Client Authentication.
- As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. - As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2.
- Any Purpose. - Any Purpose.
- An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering. - An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose. - All Purpose.
- As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client chains to a trusted root CA. - The user or the computer certificate on the client chains to a trusted root CA.
- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. - The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. - The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. - The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
The following XML sample explains the properties for the EAP TLS XML including certificate filtering. The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
@ -219,14 +219,14 @@ Alternatively you can use the following procedure to create an EAP Configuration
1. Follow steps 1 through 7 in [EAP configuration](eap-configuration.md). 1. Follow steps 1 through 7 in [EAP configuration](eap-configuration.md).
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.) 2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
:::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png":::
> [!NOTE] > [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure. > For PEAP or TTLS, select the appropriate method and continue following this procedure.
3. Click the **Properties** button underneath the drop down menu. 3. Click the **Properties** button underneath the drop-down menu.
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. 4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
@ -246,17 +246,17 @@ Alternatively you can use the following procedure to create an EAP Configuration
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). > You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
### MDM client will immediately check-in with the MDM server after client renews WNS channel URI ### MDM client will immediately check in with the MDM server after client renews WNS channel URI
After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
### User provisioning failure in Azure Active Directory joined Windows 10 and Windows 11 devices ### User provisioning failure in Azure Active Directory joined Windows 10 and Windows 11 devices
In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** &gt; **System** &gt; **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** &gt; **System** &gt; **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
### Requirements to note for VPN certificates also used for Kerberos Authentication ### Requirements to note for VPN certificates also used for Kerberos Authentication
If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication.
### Device management agent for the push-button reset is not working ### Device management agent for the push-button reset is not working
@ -270,7 +270,7 @@ The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-
No. Only one MDM is allowed. No. Only one MDM is allowed.
### How do I set the maximum number of Azure Active Directory joined devices per user? ### How do I set the maximum number of Azure Active Directory joined devices per user?
1. Login to the portal as tenant admin: https://manage.windowsazure.com. 1. Log on to the portal as tenant admin: https://manage.windowsazure.com.
2. Click Active Directory on the left pane. 2. Click Active Directory on the left pane.
3. Choose your tenant. 3. Choose your tenant.
4. Click **Configure**. 4. Click **Configure**.
@ -283,9 +283,9 @@ No. Only one MDM is allowed.
Entry | Description Entry | Description
--------------- | -------------------- --------------- | --------------------
What is dmwappushsvc? | It is a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service does not send telemetry.| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service doesn't send telemetry.|
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. Disabling this will cause your management to fail.| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
@ -337,7 +337,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. | | [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. |
| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. | | [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. |
| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. | | [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. |
| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. | | [SUPL CSP](supl-csp.md) | Added three new certificate nodes in Windows 10, version 1809. |
| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. | | [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. |
| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. | | [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. |
| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. | | [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. |

28
windows/client-management/mdm/nodecache-csp.md
View File

@ -25,9 +25,9 @@ application/x-nodemon-sha256
</type> </type>
``` ```
NodeCache will hash the values and compare with a hash value that was sent down by the server. This supports checking a parent node and its children recursively. NodeCache will hash the values and compare with a hash value that was sent down by the server. This process supports checking a parent node and its children recursively.
The following shows the NodeCache configuration service provider in tree format. The following example shows the NodeCache configuration service provider in tree format.
``` ```
./User/Vendor/MSFT ./User/Vendor/MSFT
NodeCache NodeCache
@ -69,7 +69,7 @@ NodeCache
----------------AutoSetExpectedValue ----------------AutoSetExpectedValue
``` ```
<a href="" id="--device-vendor-msft"></a>**./Device/Vendor/MSFT and ./User/Vendor/MSFT** <a href="" id="--device-vendor-msft"></a>**./Device/Vendor/MSFT and ./User/Vendor/MSFT**
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax. Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax.
<a href="" id="providerid"></a>***ProviderID*** <a href="" id="providerid"></a>***ProviderID***
Optional. Group settings per DM server. Each group of settings is distinguished by the servers Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic. Optional. Group settings per DM server. Each group of settings is distinguished by the servers Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic.
@ -82,14 +82,14 @@ Optional. Character string representing the cache version set by the server. Sco
Data type is string. Supported operations are Get, Add, and Replace. Data type is string. Supported operations are Get, Add, and Replace.
<a href="" id="providerid-changednodes"></a>***ProviderID*/ChangedNodes** <a href="" id="providerid-changednodes"></a>***ProviderID*/ChangedNodes**
Optional. List of nodes whose values do not match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic. Optional. List of nodes whose values don't match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic.
Data type is string. Supported operation is Get. Data type is string. Supported operation is Get.
<a href="" id="providerid-changednodesdata"></a>***ProviderID*/ChangedNodesData** <a href="" id="providerid-changednodesdata"></a>***ProviderID*/ChangedNodesData**
Added in Windows 10, version 1703. Optional. XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue. Added in Windows 10, version 1703. Optional. XML containing nodes whose values don't match their expected values as specified in /NodeID/ExpectedValue.
Suppported operation is Get. Supported operation is Get.
<a href="" id="providerid-nodes"></a>***ProviderID*/Nodes** <a href="" id="providerid-nodes"></a>***ProviderID*/Nodes**
Required. Root node for cached nodes. Scope is dynamic. Required. Root node for cached nodes. Scope is dynamic.
@ -107,7 +107,7 @@ Required. This node's value is a complete OMA DM node URI. It can specify either
Data type is string. Supported operations are Get, Add, and Delete. Data type is string. Supported operations are Get, Add, and Delete.
<a href="" id="-nodeid-expectedvalue"></a>**/*NodeID*/ExpectedValue** <a href="" id="-nodeid-expectedvalue"></a>**/*NodeID*/ExpectedValue**
Required. This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent. Required. The server expects this value to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent.
Supported operations are Get, Add, and Delete. Supported operations are Get, Add, and Delete.
@ -129,7 +129,7 @@ Here's an example for setting the ExpectedValue to nonexistent.
``` ```
<a href="" id="-nodeid-autosetexpectedvalue"></a>**/*NodeID*/AutoSetExpectedValue** <a href="" id="-nodeid-autosetexpectedvalue"></a>**/*NodeID*/AutoSetExpectedValue**
Added in Windows 10, version 1703. Required. This automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI. Added in Windows 10, version 1703. Required. This parameter's value automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI.
Supported operations are Add, Get, and Delete. Supported operations are Add, Get, and Delete.
@ -166,7 +166,7 @@ Supported operations are Add, Get, and Delete.
1. If a value already exists in the server-side cache, retrieve the value from the server-side cache instead of going to the device. 1. If a value already exists in the server-side cache, retrieve the value from the server-side cache instead of going to the device.
2. If a value does not exist in the server-side cache, do the following: 2. If a value doesn't exist in the server-side cache, do the following tasks:
1. Create a new entry with a unique *NodeID* in the server-side cache. 1. Create a new entry with a unique *NodeID* in the server-side cache.
@ -370,12 +370,12 @@ For AutoSetExpectedValue, a Replace operation with empty data will query the ./D
A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/ExpectedValue returns what the Device Name was when the AutoSet was called. A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/ExpectedValue returns what the Device Name was when the AutoSet was called.
A Get operation on the ChangedNodesData returns an encoded XML. Here is example: A Get operation on the ChangedNodesData returns an encoded XML. Here's an example:
```xml ```xml
<Nodes><Node Id="10" Uri=""></Node><Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node></Nodes> <Nodes><Node Id="10" Uri=""></Node><Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node></Nodes>
``` ```
It represents this: It represents this example:
```xml ```xml
<Nodes> <Nodes>
@ -383,10 +383,10 @@ It represents this:
<Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node> <Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node>
</Nodes> </Nodes>
``` ```
Id is the node ID that was added by the MDM server, and Uri is the path that the node is tracking. Id is the node Id that was added by the MDM server, and Uri is the path that the node is tracking.
If a Uri is not set, the node will always be reported as changed, as in Node id 10. If a Uri isn't set, the node will always be reported as changed, as in Node Id 10.
The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously. The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName didn't match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
## Related topics ## Related topics

44
windows/client-management/mdm/oma-dm-protocol-support.md
View File

@ -25,12 +25,12 @@ The following table shows the OMA DM standards that Windows uses.
|--- |--- | |--- |--- |
|Data transport and session|<li>Client-initiated remote HTTPS DM session over SSL.<li>Remote HTTPS DM session over SSL.<li>Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.<li>Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.| |Data transport and session|<li>Client-initiated remote HTTPS DM session over SSL.<li>Remote HTTPS DM session over SSL.<li>Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.<li>Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
|Bootstrap XML|OMA Client Provisioning XML.| |Bootstrap XML|OMA Client Provisioning XML.|
|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.<br/><li>Add (Implicit Add supported)<li>Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.<li>Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.<li>Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists<li>Exec: Invokes an executable on the client device<li>Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format<li>Replace: Overwrites data on the client device<li>Result: Returns the data results of a Get command to the DM server<li>Sequence: Specifies the order in which a group of commands must be processed<li>Status: Indicates the completion status (success or failure) of an operation<br/><br/>If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:<br/><li>SyncBody<li>Atomic<li>Sequence<br><br/>If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.<br/><br/>If Atomic elements are nested, the following status codes are returned:<br/><li>The nested Atomic command returns 500.<li>The parent Atomic command returns 507.<br/><br/>For more information about the Atomic command, see OMA DM protocol common elements.<br>Performing an Add command followed by Replace on the same node within an Atomic element is not supported.<br><br/>LocURI cannot start with `/`.<br/><br/>Meta XML tag in SyncHdr is ignored by the device.| |DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.<br/><li>Add (Implicit Add supported)<li>Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.<li>Atomic: Performing an Add command followed by Replace on the same node within an atomic element isn't supported. Nested Atomic and Get commands aren't allowed and will generate error code 500.<li>Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists<li>Exec: Invokes an executable on the client device<li>Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format<li>Replace: Overwrites data on the client device<li>Result: Returns the data results of a Get command to the DM server<li>Sequence: Specifies the order in which a group of commands must be processed<li>Status: Indicates the completion status (success or failure) of an operation<br/><br/>If an XML element that isn't a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:<br/><li>SyncBody<li>Atomic<li>Sequence<br><br/>If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.<br/><br/>If Atomic elements are nested, the following status codes are returned:<br/><li>The nested Atomic command returns 500.<li>The parent Atomic command returns 507.<br/><br/>For more information about the Atomic command, see OMA DM protocol common elements.<br>Performing an Add command followed by Replace on the same node within an Atomic element isn't supported.<br><br/>LocURI can't start with `/`.<br/><br/>Meta XML tag in SyncHdr is ignored by the device.|
|OMA DM standard objects|DevInfo<li>DevDetail<li>OMA DM DMS account objects (OMA DM version 1.2)| |OMA DM standard objects|DevInfo<li>DevDetail<li>OMA DM DMS account objects (OMA DM version 1.2)|
|Security|<li>Authenticate DM server initiation notification SMS message (not used by enterprise management)<li>Application layer Basic and MD5 client authentication<li>Authenticate server with MD5 credential at application level<li>Data integrity and authentication with HMAC at application level<li>SSL level certificate-based client/server authentication, encryption, and data integrity check| |Security|<li>Authenticate DM server initiation notification SMS message (not used by enterprise management)<li>Application layer Basic and MD5 client authentication<li>Authenticate server with MD5 credential at application level<li>Data integrity and authentication with HMAC at application level<li>SSL level certificate-based client/server authentication, encryption, and data integrity check|
|Nodes|In the OMA DM tree, the following rules apply for the node name:<br/><li>"." can be part of the node name.<li>The node name cannot be empty.<li>The node name cannot be only the asterisk (*) character.| |Nodes|In the OMA DM tree, the following rules apply for the node name:<br/><li>"." can be part of the node name.<li>The node name can't be empty.<li>The node name can't be only the asterisk (*) character.|
|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).<br/><br/>If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.<div class="alert">**Note**<br>To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.</div>| |Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).<br/><br/>If an XML element that isn't a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.<div class="alert">**Note**<br>To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.</div>|
|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.| |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.|
|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| |Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
@ -52,7 +52,7 @@ Common elements are used by other OMA DM element types. The following table list
|MsgID|Specifies a unique identifier for an OMA DM session message.| |MsgID|Specifies a unique identifier for an OMA DM session message.|
|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| |MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.|
|RespURI|Specifies the URI that the recipient must use when sending a response to this message.| |RespURI|Specifies the URI that the recipient must use when sending a response to this message.|
|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.</div>| |SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.</div>|
|Source|Specifies the message source address.| |Source|Specifies the message source address.|
|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| |SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.|
|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| |Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.|
@ -64,13 +64,13 @@ Common elements are used by other OMA DM element types. The following table list
A Device Management (DM) session consists of a series of commands exchanged between a DM server and a client device. The server sends commands indicating operations that must be performed on the client device's management tree. The client responds by sending commands that contain the results and any requested status information. A Device Management (DM) session consists of a series of commands exchanged between a DM server and a client device. The server sends commands indicating operations that must be performed on the client device's management tree. The client responds by sending commands that contain the results and any requested status information.
A short DM session can be summarized as the following: A short DM session can be summarized as:
A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents. A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents.
A DM session can be divided into two phases: A DM session can be divided into two phases:
1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. 1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table.
2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. 2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
The following information shows the sequence of events during a typical DM session. The following information shows the sequence of events during a typical DM session.
@ -92,7 +92,7 @@ The following information shows the sequence of events during a typical DM sessi
The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. If the MD5 authentication occurs, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started.
If a request includes credentials and the response code to the request is 200, the same credential must be sent within the next request. If the Chal element is included and the MD5 authentication is required, a new digest is created by using the next nonce via the Chal element for next request. If a request includes credentials and the response code to the request is 200, the same credential must be sent within the next request. If the Chal element is included and the MD5 authentication is required, a new digest is created by using the next nonce via the Chal element for next request.
@ -101,13 +101,13 @@ For more information about Basic or MD5 client authentication, MD5 server authen
## User targeted vs. Device targeted configuration ## User targeted vs. Device targeted configuration
For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the login status via a device alert (1224) with Alert type = in DM pkg\#1. For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the sign-in status via a device alert (1224) with Alert type = in DM pkg\#1.
The data part of this alert could be one of following strings: The data part of this alert could be one of following strings:
- User the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration - User the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration
- Others another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device. - Others another user sign in but that user doesn't have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device.
- None no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login). - None no active user sign in. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user sign in).
Below is an alert example: Below is an alert example:
@ -125,7 +125,7 @@ Below is an alert example:
</Alert> </Alert>
``` ```
The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management nodes LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration. The server notifies the device whether it's a user-targeted or device-targeted configuration by a prefix to the management nodes LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it's device targeted configuration.
The following LocURL shows a per user CSP node configuration: **./user/vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/&lt;PackageFamilyName&gt;/StoreInstall** The following LocURL shows a per user CSP node configuration: **./user/vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/&lt;PackageFamilyName&gt;/StoreInstall**
@ -135,28 +135,28 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo
<a href="" id="syncml-response-codes"></a> <a href="" id="syncml-response-codes"></a>
## SyncML response status codes ## SyncML response status codes
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. When SyncML in OMA DM is being used, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you're likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
| Status code | Description | | Status code | Description |
|---|----| |---|----|
| 200 | The SyncML command completed successfully. | | 200 | The SyncML command completed successfully. |
| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | | 202 | Accepted for processing. This code denotes an asynchronous operation, such as a request to run a remote execution of an application. |
| 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. | | 212 | Authentication accepted. Normally you'll only see this code in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this code if you look at OMA DM logs, but CSPs don't typically generate this code. |
| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. | | 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. |
| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | | 215 | Not executed. A command wasn't executed as a result of user interaction to cancel the command. |
| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | | 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. |
| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | | 400 | Bad request. The requested command couldn't be performed because of malformed syntax. CSPs don't usually generate this error, however you might see it if your SyncML is malformed. |
| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. | | 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs don't usually generate this error. |
| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | | 403 | Forbidden. The requested command failed, but the recipient understood the requested command. |
| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. | | 404 | Not found. The requested target wasn't found. This code will be generated if you query a node that doesn't exist. |
| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | | 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. |
| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | | 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. |
| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | | 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. |
| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | | 418 | Already exists. This response code occurs if you attempt to add a node that already exists. |
| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | | 425 | Permission Denied. The requested command failed because the sender doesn't have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. |
| 500 | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code. | | 500 | Command failed. Generic failure. The recipient encountered an unexpected condition, which prevented it from fulfilling the request. This response code will occur when the SyncML DPU can't map the originating error code. |
| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | | 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. |
| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | | 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command wasn't rolled back successfully. |
## Related topics ## Related topics

58
windows/client-management/mdm/passportforwork-csp.md
View File

@ -14,14 +14,14 @@ ms.date: 07/19/2019
# PassportForWork CSP # PassportForWork CSP
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to sign in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
> [!IMPORTANT] > [!IMPORTANT]
> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. > Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
   
### User configuration diagram ### User configuration diagram
The following shows the PassportForWork configuration service provider in tree format. The following example shows the PassportForWork configuration service provider in tree format.
```console ```console
./User/Vendor/MSFT ./User/Vendor/MSFT
@ -44,7 +44,7 @@ PassportForWork
### Device configuration diagram ### Device configuration diagram
The following shows the PassportForWork configuration service provider in tree format. The following example shows the PassportForWork configuration service provider in tree format.
```console ```console
./Device/Vendor/MSFT ./Device/Vendor/MSFT
@ -88,7 +88,7 @@ PassportForWork
Root node for PassportForWork configuration service provider. Root node for PassportForWork configuration service provider.
<a href="" id="tenantid"></a>***TenantId*** <a href="" id="tenantid"></a>***TenantId***
A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). A globally unique identifier (GUID), without curly braces ({ , }), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
<a href="" id="tenantid-policies"></a>***TenantId*/Policies** <a href="" id="tenantid-policies"></a>***TenantId*/Policies**
Node for defining the Windows Hello for Business policy settings. Node for defining the Windows Hello for Business policy settings.
@ -96,14 +96,14 @@ Node for defining the Windows Hello for Business policy settings.
<a href="" id="tenantid-policies-usepassportforwork"></a>***TenantId*/Policies/UsePassportForWork** <a href="" id="tenantid-policies-usepassportforwork"></a>***TenantId*/Policies/UsePassportForWork**
Boolean value that sets Windows Hello for Business as a method for signing into Windows. Boolean value that sets Windows Hello for Business as a method for signing into Windows.
Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business. Default value is true. If you set this policy to false, the user can't provision Windows Hello for Business.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
<a href="" id="tenantid-policies-requiresecuritydevice"></a>***TenantId*/Policies/RequireSecurityDevice** <a href="" id="tenantid-policies-requiresecuritydevice"></a>***TenantId*/Policies/RequireSecurityDevice**
Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices. Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an extra security benefit over software so that data stored in it can't be used on other devices.
Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable. Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there isn't a usable TPM. If you don't configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -116,7 +116,7 @@ Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are comp
Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. If you disable or don't configure this policy setting, TPM revision 1.2 modules will be used with Windows Hello for Business.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -126,7 +126,7 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed. Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed.
If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. If you disable or don't configure this policy setting, the PIN recovery secret won't be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -135,7 +135,7 @@ Boolean value that enables Windows Hello for Business to use certificates to aut
If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. If you disable or don't configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -145,7 +145,7 @@ Node for defining PIN settings.
<a href="" id="tenantid-policies-pincomplexity-minimumpinlength"></a>***TenantId*/Policies/PINComplexity/MinimumPINLength** <a href="" id="tenantid-policies-pincomplexity-minimumpinlength"></a>***TenantId*/Policies/PINComplexity/MinimumPINLength**
Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4. If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 4.
> [!NOTE] > [!NOTE]
> If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. > If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
@ -156,7 +156,7 @@ Value type is int. Supported operations are Add, Get, Delete, and Replace.
<a href="" id="tenantid-policies-pincomplexity-maximumpinlength"></a>***TenantId*/Policies/PINComplexity/MaximumPINLength** <a href="" id="tenantid-policies-pincomplexity-maximumpinlength"></a>***TenantId*/Policies/PINComplexity/MaximumPINLength**
Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127. If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127.
> [!NOTE] > [!NOTE]
> If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. > If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
@ -170,10 +170,10 @@ Integer value that configures the use of uppercase letters in the Windows Hello
Valid values: Valid values:
- 0 - Allows the use of uppercase letters in PIN. - 0 - Allows the use of uppercase letters in PIN.
- 1 - Requires the use of at least one uppercase letters in PIN. - 1 - Requires the use of at least one uppercase letter in PIN.
- 2 - Does not allow the use of uppercase letters in PIN. - 2 - Doesn't allow the use of uppercase letters in PIN.
Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -183,10 +183,10 @@ Integer value that configures the use of lowercase letters in the Windows Hello
Valid values: Valid values:
- 0 - Allows the use of lowercase letters in PIN. - 0 - Allows the use of lowercase letters in PIN.
- 1 - Requires the use of at least one lowercase letters in PIN. - 1 - Requires the use of at least one lowercase letter in PIN.
- 2 - Does not allow the use of lowercase letters in PIN. - 2 - Doesn't allow the use of lowercase letters in PIN.
Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -197,9 +197,9 @@ Valid values:
- 0 - Allows the use of special characters in PIN. - 0 - Allows the use of special characters in PIN.
- 1 - Requires the use of at least one special character in PIN. - 1 - Requires the use of at least one special character in PIN.
- 2 - Does not allow the use of special characters in PIN. - 2 - Doesn't allow the use of special characters in PIN.
Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -210,16 +210,16 @@ Valid values:
- 0 - Allows the use of digits in PIN. - 0 - Allows the use of digits in PIN.
- 1 - Requires the use of at least one digit in PIN. - 1 - Requires the use of at least one digit in PIN.
- 2 - Does not allow the use of digits in PIN. - 2 - Doesn't allow the use of digits in PIN.
Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
<a href="" id="tenantid-policies-pincomplexity-history"></a>***TenantId*/Policies/PINComplexity/History** <a href="" id="tenantid-policies-pincomplexity-history"></a>***TenantId*/Policies/PINComplexity/History**
Integer value that specifies the number of past PINs that can be associated to a user account that cant be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511. Integer value that specifies the number of past PINs that can be associated to a user account that cant be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required. This node was added in Windows 10, version 1511.
The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset. The current PIN of the user is included in the set of PINs associated with the user account. PIN history isn't preserved through a PIN reset.
Default value is 0. Default value is 0.
@ -248,7 +248,7 @@ Supported operations are Add, Get, Delete, and Replace.
<a href="" id="tenantid-policies-usehellocertificatesassmartcardcertificates"></a>***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT) <a href="" id="tenantid-policies-usehellocertificatesassmartcardcertificates"></a>***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in. Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
@ -262,7 +262,7 @@ Node for defining biometric settings. This node was added in Windows 10, versi
*Not supported on Windows Holographic and Windows Holographic for Business.* *Not supported on Windows Holographic and Windows Holographic for Business.*
<a href="" id="biometrics-usebiometrics--only-for---device-vendor-msft-"></a>**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) <a href="" id="biometrics-usebiometrics--only-for---device-vendor-msft-"></a>**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use if there are failures. This node was added in Windows 10, version 1511.
Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
@ -277,9 +277,9 @@ Boolean value used to enable or disable enhanced anti-spoofing for facial featur
Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing. If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that don't support enhanced anti-spoofing.
Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. Enhanced anti-spoofing for Windows Hello face authentication isn't required on unmanaged devices.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.
@ -324,7 +324,7 @@ Scope is permanent. Supported operation is Get.
<a href="" id="securitykey-usesecuritykeyforsignin"></a>**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT) <a href="" id="securitykey-usesecuritykeyforsignin"></a>**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsofts implementation. Added in Windows 10, version 1903. Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsofts implementation.
Scope is dynamic. Supported operations are Add, Get, Replace, and Delete. Scope is dynamic. Supported operations are Add, Get, Replace, and Delete.