From 6fe235e54a56a319248bfe59b5b077240eb25bd3 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 11 Nov 2021 10:06:53 +0530 Subject: [PATCH 01/14] HTMLTableConversionToMD-batch 04 --- windows/client-management/mdm/get-seats.md | 118 +---- .../mdm/healthattestation-csp.md | 325 +++----------- windows/client-management/mdm/hotspot-csp.md | 33 +- ...rver-side-mobile-application-management.md | 42 +- ...ent-tool-for-windows-store-for-business.md | 23 +- .../mdm/mobile-device-enrollment.md | 147 +------ windows/client-management/mdm/nap-csp.md | 33 +- windows/client-management/mdm/napdef-csp.md | 39 +- windows/client-management/mdm/office-csp.md | 158 +------ .../mdm/oma-dm-protocol-support.md | 284 ++---------- .../mdm/policy-csp-abovelock.md | 61 +-- .../mdm/policy-csp-accounts.md | 150 ++----- .../mdm/policy-csp-activexcontrols.md | 32 +- .../policy-csp-admx-activexinstallservice.md | 33 +- .../mdm/policy-csp-admx-addremoveprograms.md | 411 ++++-------------- 15 files changed, 308 insertions(+), 1581 deletions(-) diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index a510b2460c..f58ed76669 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -1,6 +1,6 @@ --- title: Get seats -description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business. +description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business. ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F ms.reviewer: manager: dansimp @@ -18,118 +18,34 @@ The **Get seats** operation retrieves the information about active seats in the ## Request - ---- - - - - - - - - - - - - -
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}

+**GET:** + +```http +https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults} +``` -  ### URI parameters The following parameters may be specified in the request URI. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

continuationToken

string

Optional.

maxResults

int32

Optional. Default = 25, Maximum = 100

+|Parameter|Type|Description| +|--- |--- |--- | +|productId|string|Required. Product identifier for an application that is used by the Store for Business.| +|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| +|continuationToken|string|Optional.| +|maxResults|int32|Optional. Default = 25, Maximum = 100| -  ## Response ### Response body The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Error codeDescriptionRetryData field

400

Invalid parameters

No

Parameter name

-

Reason: Missing parameter or invalid parameter

-

Details: String

404

Not found

409

Conflict

Reason: Not online

- -  - -  - - +|Error code|Description|Retry|Data field| +|--- |--- |--- |--- | +|400|Invalid parameters|No|Parameter name
Reason: Missing parameter or invalid parameter
Details: String| +|404|Not found||| +|409|Conflict||Reason: Not online| diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 32bdbb1eca..b29bed482b 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -551,77 +551,16 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes ![healthattestation service diagram.](images/healthattestation_2.png) - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
DHA-Service typeDescriptionOperation cost
Device Health Attestation – Cloud

(DHA-Cloud)

DHA-Cloud is a Microsoft owned and operated DHA-Service that is:

-
    -
  • Available in Windows for free
    • -
  • Running on a high-availability and geo-balanced cloud infrastructure
    • -
  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
    • -
  • Accessible to all enterprise-managed devices via following: -
      -
    • FQDN = has.spserv.microsoft.com) port
      • -
    • Port = 443
      • -
    • Protocol = TCP
      • -
    -
    • -
-		No cost
Device Health Attestation – On Premise

(DHA-OnPrem)

DHA-OnPrem refers to DHA-Service that is running on premises:

-
    -
  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
    • -
  • Hosted on an enterprise owned and managed server device/hardware
    • -
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
    • -

  • Accessible to all enterprise-managed devices via following:

    -
      -
    • FQDN = (enterprise assigned)
      • -
    • Port = (enterprise assigned)
      • -
    • Protocol = TCP
      • -
    -
    • -
The operation cost of running one or more instances of Server 2016 on-premises.
Device Health Attestation - Enterprise-Managed Cloud

(DHA-EMC)

DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.

-
    -
  • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
    • -
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
    • -

  • Accessible to all enterprise-managed devices via following:

    -
      -
    • FQDN = (enterprise assigned)
      • -
    • Port = (enterprise assigned)
      • -
    • Protocol = TCP
      • -
    -
    • -
The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
+|DHA-Service type|Description|Operation cost| +|--- |--- |--- | +|Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
  • Available in Windows for free
  • Running on a high-availability and geo-balanced cloud infrastructure
  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
  • Accessible to all enterprise-managed devices via following:
    • | +|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
  • Hosted on an enterprise owned and managed server device/hardware
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following:
    • | +|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
  • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
  • Accessible to all enterprise-managed devices via following:
    • | ### CSP diagram and node descriptions - -The following shows the Device HealthAttestation configuration service provider in tree format. +The following shows the Device HealthAttestation configuration service provider in tree format. + ``` ./Vendor/MSFT HealthAttestation @@ -1263,214 +1202,48 @@ Each of these are described in further detail in the following sections, along w ### **Device HealthAttestation CSP status and error codes** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Error codeError nameDescription
    0HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZEDThis is the initial state for devices that have never participated in a DHA-Session.
    1HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTEDThis state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
    2HEALTHATTESTATION_CERT_RETRIEVAL_FAILEDThis state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
    3HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETEThis state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.
    4HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAILDeprecated in Windows 10, version 1607.
    5HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAILDHA-CSP failed to get a claim quote.
    6HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READYDHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
    7HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAILDHA-CSP failed in retrieving Windows AIK
    8HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAILDeprecated in Windows 10, version 1607.
    9HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSIONInvalid TPM version (TPM version is not 1.2 or 2.0)
    10HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAILNonce was not found in the registry.
    11HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAILCorrelation ID was not found in the registry.
    12HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAILDeprecated in Windows 10, version 1607.
    13HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAILDeprecated in Windows 10, version 1607.
    14HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAILFailure in Encoding functions. (Extremely unlikely scenario)
    15HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAILDeprecated in Windows 10, version 1607.
    16HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XMLDHA-CSP failed to load the payload it received from DHA-Service
    17HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XMLDHA-CSP received a corrupted response from DHA-Service.
    18HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XMLDHA-CSP received an empty response from DHA-Service.
    19HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EKDHA-CSP failed in decrypting the AES key from the EK challenge.
    20HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EKDHA-CSP failed in decrypting the health cert with the AES key.
    21HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUBDHA-CSP failed in exporting the AIK Public Key.
    22HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLYDHA-CSP failed in trying to create a claim with AIK attestation data.
    23HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUBDHA-CSP failed in appending the AIK Pub to the request blob.
    24HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERTDHA-CSP failed in appending the AIK Cert to the request blob.
    25HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLEDHA-CSP failed to obtain a Session handle.
    26HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLEDHA-CSP failed to connect to the DHA-Service.
    27HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLEDHA-CSP failed to create an HTTP request handle.
    28HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTIONDHA-CSP failed to set options.
    29HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERSDHA-CSP failed to add request headers.
    30HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUESTDHA-CSP failed to send the HTTP request.
    31HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSEDHA-CSP failed to receive a response from the DHA-Service.
    32HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERSDHA-CSP failed to query headers when trying to get HTTP status code.
    33HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSEDHA-CSP received an empty response from DHA-Service even though HTTP status was OK.
    34HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSEDHA-CSP received an empty response along with an HTTP error code from DHA-Service.
    35HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USERDHA-CSP failed to impersonate user.
    36HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATORDHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
    0xFFFFHEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWNDHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
    400Bad_Request_From_ClientDHA-CSP has received a bad (malformed) attestation request.
    404Endpoint_Not_ReachableDHA-Service is not reachable by DHA-CSP
    +|Error code|Error name|Description| +|--- |--- |--- | +|0|HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED|This is the initial state for devices that have never participated in a DHA-Session.| +|1|HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED|This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.| +|2|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED|This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.| +|3|HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE|This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.| +|4|HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL|Deprecated in Windows 10, version 1607.| +|5|HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL|DHA-CSP failed to get a claim quote.| +|6|HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY|DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.| +|7|HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL|DHA-CSP failed in retrieving Windows AIK| +|8|HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL|Deprecated in Windows 10, version 1607.| +|9|HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION|Invalid TPM version (TPM version is not 1.2 or 2.0)| +|10|HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL|Nonce was not found in the registry.| +|11|HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL|Correlation ID was not found in the registry.| +|12|HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL|Deprecated in Windows 10, version 1607.| +|13|HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL|Deprecated in Windows 10, version 1607.| +|14|HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL|Failure in Encoding functions. (Extremely unlikely scenario)| +|15|HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL|Deprecated in Windows 10, version 1607.| +|16|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML|DHA-CSP failed to load the payload it received from DHA-Service| +|17|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML|DHA-CSP received a corrupted response from DHA-Service.| +|18|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML|DHA-CSP received an empty response from DHA-Service.| +|19|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK|DHA-CSP failed in decrypting the AES key from the EK challenge.| +|20|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK|DHA-CSP failed in decrypting the health cert with the AES key.| +|21|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB|DHA-CSP failed in exporting the AIK Public Key.| +|22|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY|DHA-CSP failed in trying to create a claim with AIK attestation data.| +|23|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB|DHA-CSP failed in appending the AIK Pub to the request blob.| +|24|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT|DHA-CSP failed in appending the AIK Cert to the request blob.| +|25|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE|DHA-CSP failed to obtain a Session handle.| +|26|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE|DHA-CSP failed to connect to the DHA-Service.| +|27|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE|DHA-CSP failed to create an HTTP request handle.| +|28|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION|DHA-CSP failed to set options.| +|29|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS|DHA-CSP failed to add request headers.| +|30|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST|DHA-CSP failed to send the HTTP request.| +|31|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE|DHA-CSP failed to receive a response from the DHA-Service.| +|32|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS|DHA-CSP failed to query headers when trying to get HTTP status code.| +|33|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE|DHA-CSP received an empty response from DHA-Service even though HTTP status was OK.| +|34|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE|DHA-CSP received an empty response along with an HTTP error code from DHA-Service.| +|35|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER|DHA-CSP failed to impersonate user.| +|36|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR|DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.| +|0xFFFF|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN|DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.| +|400|Bad_Request_From_Client|DHA-CSP has received a bad (malformed) attestation request.| +|404|Endpoint_Not_Reachable|DHA-Service is not reachable by DHA-CSP| ### DHA-Report V3 schema diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 0672037cf9..ab23f17606 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -186,34 +186,11 @@ The DLL must be code signed in a specific way, see [Sign binaries and packages]( During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values. - ---- - - - - - - - - - - - - - - - - - - - - -
    ValueDescription

    ENTITLEMENT_SUCCESS

    The device is allowed to connect to the server.

    ENTITLEMENT_FAILED

    The device is not allowed to connect to the server

    ENTITLEMENT_UNAVAILABLE

    The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.

    - - +|Value|Description| +|--- |--- | +|**ENTITLEMENT_SUCCESS**|The device is allowed to connect to the server.| +|**ENTITLEMENT_FAILED**|The device is not allowed to connect to the server| +|**ENTITLEMENT_UNAVAILABLE**|The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.| The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit. diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 68633b48af..65f11b56b4 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -129,40 +129,8 @@ If the MAM device is properly configured for MDM enrollment, then the Enroll onl We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Update channelPrimary purposeLOB Tattoo availabilityDefault update channel for the products
    Current channelProvide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. March 9 2017

    Visio Pro for Office 365

    -

    Project Desktop Client

    -

    Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)

    Deferred channelProvide users with new features of Office only a few times a year.October 10 2017Microsoft 365 Apps for enterprise
    First release for Deferred channelProvide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. June 13 2017
    \ No newline at end of file +|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products| +|--- |--- |--- |--- | +|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365
    Project Desktop Client
    Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)| +|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise| +|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017|| diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index f2da07d4e2..af0d01f75e 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -34,26 +34,11 @@ For additional information about Store for Business, see the TechNet topics in [ The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages. - ---- - - - - - - - - - - -

    Application data

    The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.

    Licensing models

    Offline vs. Online

    -

    Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.

    -

    Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.

    +- **Application data**:The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications. - +- **Licensing models**: + - **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services. + - **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store. ### Offline-licensed application distribution diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index d1ada9afe6..8b9380767e 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -110,75 +110,15 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma ``` - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NamespaceSubcodeErrorDescriptionHRESULT

    s:

    MessageFormat

    MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

    Invalid message from the Mobile Device Management (MDM) server.

    80180001

    s:

    Authentication

    MENROLL_E_DEVICE_AUTHENTICATION_ERROR

    The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.

    80180002

    s:

    Authorization

    MENROLL_E_DEVICE_AUTHORIZATION_ERROR

    The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.

    80180003

    s:

    CertificateRequest

    MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR

    The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.

    80180004

    s:

    EnrollmentServer

    MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

    		The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.

    80180005

    a:

    InternalServiceFault

    MENROLL_E_DEVICE_INTERNALSERVICE_ERROR

    There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.

    80180006

    a:

    InvalidSecurity

    MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

    The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.

    80180007

    +|Namespace|Subcode|Error|Description|HRESULT| +|--- |--- |--- |--- |--- | +|s:|MessageFormat|MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|Invalid message from the Mobile Device Management (MDM) server.|80180001| +|s:|Authentication|MENROLL_E_DEVICE_AUTHENTICATION_ERROR|The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.|80180002| +|s:|Authorization|MENROLL_E_DEVICE_AUTHORIZATION_ERROR|The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.|80180003| +|s:|CertificateRequest|MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR|The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.|80180004| +|s:|EnrollmentServer|MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.|80180005| +|a:|InternalServiceFault|MENROLL_E_DEVICE_INTERNALSERVICE_ERROR|There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.|80180006| +|a:|InvalidSecurity|MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.|80180007| In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example: @@ -212,66 +152,15 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. ``` - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    SubcodeErrorDescriptionHRESULT

    DeviceCapReached

    MENROLL_E_DEVICECAPREACHED

    The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.

    80180013

    DeviceNotSupported

    MENROLL_E_DEVICENOTSUPPORTED

    The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.

    80180014

    NotSupported

    MENROLL_E_NOT_SUPPORTED

    Mobile Device Management (MDM) is generally not supported for this device.

    80180015

    NotEligibleToRenew

    MENROLL_E_NOTELIGIBLETORENEW

    The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.

    80180016

    InMaintenance

    MENROLL_E_INMAINTENANCE

    The Mobile Device Management (MDM) server states your account is in maintenance, try again later.

    80180017

    UserLicense

    MENROLL_E_USER_LICENSE

    There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.

    80180018

    InvalidEnrollmentData

    MENROLL_E_ENROLLMENTDATAINVALID

    The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.

    80180019

    +|Subcode|Error|Description|HRESULT| +|--- |--- |--- |--- | +|DeviceCapReached|MENROLL_E_DEVICECAPREACHED|The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.|80180013| +|DeviceNotSupported|MENROLL_E_DEVICENOTSUPPORTED|The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.|80180014| +|NotSupported|MENROLL_E_NOT_SUPPORTED|Mobile Device Management (MDM) is generally not supported for this device.|80180015| +|NotEligibleToRenew|MENROLL_E_NOTELIGIBLETORENEW|The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.|80180016| +|InMaintenance|MENROLL_E_INMAINTENANCE|The Mobile Device Management (MDM) server states your account is in maintenance, try again later.|80180017| +|UserLicense|MENROLL_E_USER_LICENSE|There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.|80180018| +|InvalidEnrollmentData|MENROLL_E_ENROLLMENTDATAINVALID|The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.|80180019| TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index 89d18c8eff..a46cce0ddf 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -87,34 +87,11 @@ Required. Specifies the type of address used to identify the destination network The following table shows some commonly used ADDRTYPE values and the types of connection that corresponds with each value. - ---- - - - - - - - - - - - - - - - - - - - - -
    ADDRTYPE ValueConnection Type

    E164

    RAS connections

    APN

    GPRS connections

    ALPHA

    Wi-Fi-based connections

    - -  +|ADDRTYPE Value|Connection Type| +|--- |--- | +|E164|RAS connections| +|APN|GPRS connections| +|ALPHA|Wi-Fi-based connections| ***NAPX*/AuthInfo** Optional node. Specifies the authentication information, including the protocol, user name, and password. diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index bf9a0bc281..2c7ac27df6 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -127,39 +127,12 @@ The name of the *NAPID* element is the same as the value passed during initial b The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    ElementsAvailable

    Parm-query

    Yes

    -

    Note that some GPRS parameters will not necessarily contain the exact same value as was set.

    Noparm

    Yes

    Nocharacteristic

    Yes

    Characteristic-query

    Yes

    - - +|Elements|Available| +|--- |--- | +|Parm-query|Yes
    Note that some GPRS parameters will not necessarily contain the exact same value as was set.| +|Noparm|Yes| +|Nocharacteristic|Yes| +|Characteristic-query|Yes| ## Related topics diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 7516e3c411..e6f3f66cd6 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -151,140 +151,24 @@ To get the current status of Office 365 on the device. ## Status code - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StatusDescriptionComment
    0Installation succeededOK
    997Installation in progress
    13ERROR_INVALID_DATA -

    Cannot verify signature of the downloaded Office Deployment Tool (ODT)

    		Failure
    1460ERROR_TIMEOUT -

    Failed to download ODT

    		Failure
    1602 ERROR_INSTALL_USEREXIT -

    User cancelled the installation

    		Failure
    1603ERROR_INSTALL_FAILURE -

    Failed any pre-req check.

    -
      -
    • SxS (Tried to install when 2016 MSI is installed)
      • -
    • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)
      • -
    -    		Failure
    17000ERROR_PROCESSPOOL_INITIALIZATION -

    Failed to start C2RClient

    		Failure
    17001ERROR_QUEUE_SCENARIO -

    Failed to queue installation scenario in C2RClient

    		Failure
    17002ERROR_COMPLETING_SCENARIO -

    Failed to complete the process. Possible reasons:

    -
      -
    • Installation cancelled by user
      • -
    • Installation cancelled by another installation
      • -
    • Out of disk space during installation
      • -
    • Unknown language ID
      • -
    		Failure
    17003ERROR_ANOTHER_RUNNING_SCENARIO -

    Another scenario is running

    		Failure
    17004ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP -

    Possible reasons:

    -
      -
    • Unknown SKUs
      • -
    • Content does't exist on CDN -
      • such as trying to install an unsupported LAP, like zh-sg
        • -
      • CDN issue that content is not available
      -
      • -
    • Signature check issue, such as failed the signature check for Office content
      • -
    • User cancelled -
    -    		Failure
    17005ERROR_SCENARIO_CANCELLED_AS_PLANNEDFailure
    17006ERROR_SCENARIO_CANCELLED -

    Blocked update by running apps

    		Failure
    17007ERROR_REMOVE_INSTALLATION_NEEDED -

    The client is requesting client clean up in a "Remove Installation" scenario

    		Failure
    17100ERROR_HANDLING_COMMAND_LINE -

    C2RClient command line error

    		Failure
    0x80004005E_FAIL -

    ODT cannot be used to install Volume license

    		Failure
    0x8000ffff E_UNEXPECTED -

    Tried to uninstall when there is no C2R Office on the machine.

    		Failure
    \ No newline at end of file +|Status|Description|Comment| +|--- |--- |--- | +|0|Installation succeeded|OK| +|997|Installation in progress|| +|13|ERROR_INVALID_DATA
    Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure| +|1460|ERROR_TIMEOUT
    Failed to download ODT|Failure| +|1602|ERROR_INSTALL_USEREXIT
    User cancelled the installation|Failure| +|1603|ERROR_INSTALL_FAILURE
    Failed any pre-req check.
  • SxS (Tried to install when 2016 MSI is installed)
  • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure| +|17000|ERROR_PROCESSPOOL_INITIALIZATION +Failed to start C2RClient|Failure| +|17001|ERROR_QUEUE_SCENARIO +Failed to queue installation scenario in C2RClient|Failure| +|17002|ERROR_COMPLETING_SCENARIO
    Failed to complete the process. Possible reasons:
  • Installation cancelled by user
  • Installation cancelled by another installation
  • Out of disk space during installation
  • Unknown language ID|Failure| +|17003|ERROR_ANOTHER_RUNNING_SCENARIO
    Another scenario is running|Failure| +|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
    Possible reasons:
  • Unknown SKUs
  • Content does't exist on CDN
  • Signature check issue, such as failed the signature check for Office content
  • User cancelled|Failure| +|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure| +|17006|ERROR_SCENARIO_CANCELLED
    Blocked update by running apps|Failure| +|17007|ERROR_REMOVE_INSTALLATION_NEEDED
    The client is requesting client clean up in a "Remove Installation" scenario|Failure| +|17100|ERROR_HANDLING_COMMAND_LINE
    C2RClient command line error|Failure| +|0x80004005|E_FAIL
    ODT cannot be used to install Volume license|Failure| +|0x8000ffff|E_UNEXPECTED
    Tried to uninstall when there is no C2R Office on the machine.|Failure| diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 5e8ad6957f..8fac08e56a 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -35,113 +35,17 @@ The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA The following table shows the OMA DM standards that Windows uses. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    General areaOMA DM standard that is supported

    Data transport and session

      -

    • Client-initiated remote HTTPS DM session over SSL.

      • -

    • Remote HTTPS DM session over SSL.

      • -

    • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.

      • -

    • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.

      • -

    Bootstrap XML

      -

    • OMA Client Provisioning XML.

      • -

    DM protocol commands

    The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.

    -
      -

    • Add (Implicit Add supported)

      • -

    • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.

      • -

    • Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.

      • -

    • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists

      • -

    • Exec: Invokes an executable on the client device

      • -

    • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format

      • -

    • Replace: Overwrites data on the client device

      • -

    • Result: Returns the data results of a Get command to the DM server

      • -

    • Sequence: Specifies the order in which a group of commands must be processed

      • -

    • Status: Indicates the completion status (success or failure) of an operation

      • -
    -

    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:

    -
      -

    • SyncBody

      • -

    • Atomic

      • -

    • Sequence

      • -
    -

    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

    -

    If Atomic elements are nested, the following status codes are returned:

    -
      -

    • The nested Atomic command returns 500.

      • -

    • The parent Atomic command returns 507.

      • -
    -

    For more information about the Atomic command, see OMA DM protocol common elements.

    -

    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.

    -

    LocURI cannot start with "/".

    -

    Meta XML tag in SyncHdr is ignored by the device.

    OMA DM standard objects

      -

    • DevInfo

      • -

    • DevDetail

      • -

    • OMA DM DMS account objects (OMA DM version 1.2)

      • -

    Security

      -

    • Authenticate DM server initiation notification SMS message (not used by enterprise management)

      • -

    • Application layer Basic and MD5 client authentication

      • -

    • Authenticate server with MD5 credential at application level

      • -

    • Data integrity and authentication with HMAC at application level

      • -

    • SSL level certificate based client/server authentication, encryption, and data integrity check

      • -

    Nodes

    In the OMA DM tree, the following rules apply for the node name:

    -
      -

    • "." can be part of the node name.

      • -

    • The node name cannot be empty.

      • -

    • The node name cannot be only the asterisk (*) character.

      • -

    Provisioning Files

    Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.

    -

    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.

    -
    -Note

    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.

    -
    -
    - -

    WBXML support

    Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.

    Handling of large objects

    In Windows 10, version 1511, client support for uploading large objects to the server was added.

    +|General area|OMA DM standard that is supported| +|--- |--- | +|Data transport and session|
  • Client-initiated remote HTTPS DM session over SSL.
  • Remote HTTPS DM session over SSL.
  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.| +|Bootstrap XML|OMA Client Provisioning XML.| +|DM protocol commands|The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
  • Add (Implicit Add supported)
  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
  • Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
  • Exec: Invokes an executable on the client device
  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
  • Replace: Overwrites data on the client device
  • Result: Returns the data results of a Get command to the DM server
  • Sequence: Specifies the order in which a group of commands must be processed
  • Status: Indicates the completion status (success or failure) of an operation
    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
  • SyncBody
  • Atomic
  • Sequence
    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
    If Atomic elements are nested, the following status codes are returned:
  • The nested Atomic command returns 500.
  • The parent Atomic command returns 507.
    For more information about the Atomic command, see OMA DM protocol common elements.
    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
    LocURI cannot start with "/".
    Meta XML tag in SyncHdr is ignored by the device.| +|OMA DM standard objects|DevInfo
  • DevDetail
  • OMA DM DMS account objects (OMA DM version 1.2)| +|Security|
  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
  • Application layer Basic and MD5 client authentication
  • Authenticate server with MD5 credential at application level
  • Data integrity and authentication with HMAC at application level
  • SSL level certificate based client/server authentication, encryption, and data integrity check| +|Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "" can be part of the node name.
  • The node name cannot be empty.
  • The node name cannot be only the asterisk (*) character.| +|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | +|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.| +|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| @@ -149,99 +53,26 @@ The following table shows the OMA DM standards that Windows uses. Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ElementDescription

    Chal

    Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.

    Cmd

    Specifies the name of an OMA DM command referenced in a Status element.

    CmdID

    Specifies the unique identifier for an OMA DM command.

    CmdRef

    Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.

    Cred

    Specifies the authentication credential for the originator of the message.

    Final

    Indicates that the current message is the last message in the package.

    LocName

    Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.

    LocURI

    Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

    MsgID

    Specifies a unique identifier for an OMA DM session message.

    MsgRef

    Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.

    RespURI

    Specifies the URI that the recipient must use when sending a response to this message.

    SessionID

    Specifies the identifier of the OMA DM session associated with the containing message.

    -
    -Note If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes. -
    -
    - -

    Source

    Specifies the message source address.

    SourceRef

    Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.

    Target

    Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.

    TargetRef

    Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.

    VerDTD

    Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.

    VerProto

    Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.

    - +|Element|Description| +|--- |--- | +|Chal|Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.| +|Cmd|Specifies the name of an OMA DM command referenced in a Status element.| +|CmdID|Specifies the unique identifier for an OMA DM command.| +|CmdRef|Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.| +|Cred|Specifies the authentication credential for the originator of the message.| +|Final|Indicates that the current message is the last message in the package.| +|LocName|Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.| +|LocURI|Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.| +|MsgID|Specifies a unique identifier for an OMA DM session message.| +|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| +|RespURI|Specifies the URI that the recipient must use when sending a response to this message.| +|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
    | +|Source|Specifies the message source address.| +|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| +|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| +|TargetRef|Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.| +|VerDTD|Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.| +|VerProto|Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.| ## Device management session @@ -257,52 +88,13 @@ A DM session can be divided into two phases: The following table shows the sequence of events during a typical DM session. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StepActionDescription

    1

    DM client is invoked to call back to the management server

    -

    Enterprise scenario – The device task schedule invokes the DM client.

    The MO server sends a server trigger message to invoke the DM client.

    -

    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    -

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.

    2

    The device sends a message, over an IP connection, to initiate the session.

    This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.

    3

    The DM server responds, over an IP connection (HTTPS).

    The server sends initial device management commands, if any.

    4

    The device responds to server management commands.

    This message includes the results of performing the specified device management operations.

    5

    The DM server terminates the session or sends another command.

    The DM session ends, or Step 4 is repeated.

    - - +|Step|Action|Description| +|--- |--- |--- | +|1|DM client is invoked to call back to the management server

    Enterprise scenario – The device task schedule invokes the DM client.|The MO server sends a server trigger message to invoke the DM client.

    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.| +|2|The device sends a message, over an IP connection, to initiate the session.|This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.| +|3|The DM server responds, over an IP connection (HTTPS).|The server sends initial device management commands, if any.| +|4|The device responds to server management commands.|This message includes the results of performing the specified device management operations.| +|5|The DM server terminates the session or sends another command.|The DM session ends, or Step 4 is repeated.| The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index c3d8c37963..b1b74f16be 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -38,33 +38,13 @@ manager: dansimp **AboveLock/AllowCortanaAboveLock** - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    EnterpriseYesYes
    EducationYesYes
    +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -105,28 +85,13 @@ The following list shows the supported values: **AboveLock/AllowToasts** - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYes, starting in Windows 10, version 1607Yes
    EnterpriseYes, starting in Windows 10, version 1607Yes
    EducationYes, starting in Windows 10, version 1607Yes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes, starting in Windows 10, version 1607|Yes| +|Enterprise|Yes, starting in Windows 10, version 1607|Yes| +|Education|Yes, starting in Windows 10, version 1607|Yes|
    diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index ed466fe64a..795f89e92c 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -40,43 +40,15 @@ manager: dansimp **Accounts/AllowAddingNonMicrosoftAccountsManually** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    EnterpriseYesYes
    EducationYesYes
    MobileYesYes
    Mobile EnterpriseYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|
    @@ -114,48 +86,16 @@ The following list shows the supported values: **Accounts/AllowMicrosoftAccountConnection** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    MobileYesYes
    Mobile EnterpriseYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|
    @@ -190,48 +130,16 @@ The following list shows the supported values: **Accounts/AllowMicrosoftAccountSignInAssistant** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    MobileYesYes
    Mobile EnterpriseYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|
    diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 95c9e7d80b..60248d3ecc 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -40,31 +40,13 @@ manager: dansimp **ActiveXControls/ApprovedInstallationSites** - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index c574952e31..0b63ffc56d 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -40,31 +40,14 @@ manager: dansimp **ADMX_ActiveXInstallService/AxISURLZonePolicies** - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +
    diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index dfb1da857f..de3506d5e5 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -70,20 +70,10 @@ manager: dansimp **ADMX_AddRemovePrograms/DefaultCategory** - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No|
    @@ -135,34 +125,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromCDorFloppy** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    Business
    EnterpriseYesYes
    Education
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business||| +|Enterprise|Yes|Yes| +|Education|||
    @@ -212,38 +182,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromInternet** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -294,38 +240,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromNetwork** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -377,38 +299,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddPage** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -456,38 +354,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddRemovePrograms** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -535,38 +409,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoChooseProgramsPage** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -615,37 +465,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoRemovePage** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -693,38 +520,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoServices** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -775,38 +578,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoSupportInfo** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    @@ -856,38 +635,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoWindowsSetupPage** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoNo
    BusinessNoNo
    EnterpriseYesYes
    EducationYesYes
    + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|
    From 3dde25d7423a6bc50f00997cc8506643f45b71a5 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 11 Nov 2021 10:17:52 +0530 Subject: [PATCH 02/14] Fixing Acrolinx score --- windows/client-management/mdm/office-csp.md | 14 +++++++------- .../mdm/oma-dm-protocol-support.md | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index e6f3f66cd6..d505f71d74 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -18,7 +18,7 @@ The Office configuration service provider (CSP) enables a Microsoft Office clien This CSP was added in Windows 10, version 1703. -For additional information, see [Office DDF](office-ddf.md). +For more information, see [Office DDF](office-ddf.md). The following shows the Office configuration service provider in tree format. ``` @@ -78,7 +78,7 @@ Behavior: - When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it. - When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values: - When status = 0: 70 (succeeded) - - When status != 0: 60 (failed) + - When status!= 0: 60 (failed) **Installation/CurrentStatus** Returns an XML of current Office 365 installation status on the device. @@ -157,18 +157,18 @@ To get the current status of Office 365 on the device. |997|Installation in progress|| |13|ERROR_INVALID_DATA
    Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure| |1460|ERROR_TIMEOUT
    Failed to download ODT|Failure| -|1602|ERROR_INSTALL_USEREXIT
    User cancelled the installation|Failure| +|1602|ERROR_INSTALL_USEREXIT
    User canceled the installation|Failure| |1603|ERROR_INSTALL_FAILURE
    Failed any pre-req check.
  • SxS (Tried to install when 2016 MSI is installed)
  • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure| |17000|ERROR_PROCESSPOOL_INITIALIZATION Failed to start C2RClient|Failure| |17001|ERROR_QUEUE_SCENARIO Failed to queue installation scenario in C2RClient|Failure| -|17002|ERROR_COMPLETING_SCENARIO
    Failed to complete the process. Possible reasons:
  • Installation cancelled by user
  • Installation cancelled by another installation
  • Out of disk space during installation
  • Unknown language ID|Failure| +|17002|ERROR_COMPLETING_SCENARIO
    Failed to complete the process. Possible reasons:
  • Installation canceled by user
  • Installation canceled by another installation
  • Out of disk space during installation
  • Unknown language ID|Failure| |17003|ERROR_ANOTHER_RUNNING_SCENARIO
    Another scenario is running|Failure| -|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
    Possible reasons:
  • Unknown SKUs
  • Content does't exist on CDN
  • Signature check issue, such as failed the signature check for Office content
  • User cancelled|Failure| +|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
    Possible reasons:
  • Unknown SKUs
  • Content does't exist on CDN
  • Signature check issue, such as failed the signature check for Office content
  • User canceled|Failure| |17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure| |17006|ERROR_SCENARIO_CANCELLED
    Blocked update by running apps|Failure| -|17007|ERROR_REMOVE_INSTALLATION_NEEDED
    The client is requesting client clean up in a "Remove Installation" scenario|Failure| -|17100|ERROR_HANDLING_COMMAND_LINE
    C2RClient command line error|Failure| +|17007|ERROR_REMOVE_INSTALLATION_NEEDED
    The client is requesting client clean-up in a "Remove Installation" scenario|Failure| +|17100|ERROR_HANDLING_COMMAND_LINE
    C2RClient command-line error|Failure| |0x80004005|E_FAIL
    ODT cannot be used to install Volume license|Failure| |0x8000ffff|E_UNEXPECTED
    Tried to uninstall when there is no C2R Office on the machine.|Failure| diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 8fac08e56a..e0f5141f02 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -39,9 +39,9 @@ The following table shows the OMA DM standards that Windows uses. |--- |--- | |Data transport and session|
  • Client-initiated remote HTTPS DM session over SSL.
  • Remote HTTPS DM session over SSL.
  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.| |Bootstrap XML|OMA Client Provisioning XML.| -|DM protocol commands|The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
  • Add (Implicit Add supported)
  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
  • Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
  • Exec: Invokes an executable on the client device
  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
  • Replace: Overwrites data on the client device
  • Result: Returns the data results of a Get command to the DM server
  • Sequence: Specifies the order in which a group of commands must be processed
  • Status: Indicates the completion status (success or failure) of an operation
    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
  • SyncBody
  • Atomic
  • Sequence
    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
    If Atomic elements are nested, the following status codes are returned:
  • The nested Atomic command returns 500.
  • The parent Atomic command returns 507.
    For more information about the Atomic command, see OMA DM protocol common elements.
    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
    LocURI cannot start with "/".
    Meta XML tag in SyncHdr is ignored by the device.| +|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
  • Add (Implicit Add supported)
  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
  • Exec: Invokes an executable on the client device
  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
  • Replace: Overwrites data on the client device
  • Result: Returns the data results of a Get command to the DM server
  • Sequence: Specifies the order in which a group of commands must be processed
  • Status: Indicates the completion status (success or failure) of an operation
    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
  • SyncBody
  • Atomic
  • Sequence
    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
    If Atomic elements are nested, the following status codes are returned:
  • The nested Atomic command returns 500.
  • The parent Atomic command returns 507.
    For more information about the Atomic command, see OMA DM protocol common elements.
    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
    LocURI cannot start with "/".
    Meta XML tag in SyncHdr is ignored by the device.| |OMA DM standard objects|DevInfo
  • DevDetail
  • OMA DM DMS account objects (OMA DM version 1.2)| -|Security|
  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
  • Application layer Basic and MD5 client authentication
  • Authenticate server with MD5 credential at application level
  • Data integrity and authentication with HMAC at application level
  • SSL level certificate based client/server authentication, encryption, and data integrity check| +|Security|
  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
  • Application layer Basic and MD5 client authentication
  • Authenticate server with MD5 credential at application level
  • Data integrity and authentication with HMAC at application level
  • SSL level certificate-based client/server authentication, encryption, and data integrity check| |Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "" can be part of the node name.
  • The node name cannot be empty.
  • The node name cannot be only the asterisk (*) character.| |Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.| @@ -96,7 +96,7 @@ The following table shows the sequence of events during a typical DM session. |4|The device responds to server management commands.|This message includes the results of performing the specified device management operations.| |5|The DM server terminates the session or sends another command.|The DM session ends, or Step 4 is repeated.| -The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). +The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. @@ -111,9 +111,9 @@ For CSPs and policies that support per user configuration, the MDM server can se The data part of this alert could be one of following strings: -- user – the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration -- others – another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device. -- none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login). +- User – the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration +- Others – another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device. +- None – no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login). Below is an alert example: @@ -148,7 +148,7 @@ When using SyncML in OMA DM, there are standard response status codes that are r | 200 | The SyncML command completed successfully. | | 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | | 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. | -| 214 | Operation cancelled. The SyncML command completed successfully, but no more commands will be processed within the session. | +| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. | | 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | | 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | | 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | From 2f78e4e3175eb4f8b05d6d2ee16e4ae9eb8c1e2b Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 16 Nov 2021 13:55:40 -0500 Subject: [PATCH 03/14] Removed HTML; Formatting --- .../mdm/healthattestation-csp.md | 1074 +++++++++-------- 1 file changed, 578 insertions(+), 496 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index b29bed482b..3f2e38b93b 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -30,48 +30,42 @@ Windows 11 introduces an update to the device health attestation feature. This h The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. ### Terms -**TPM (Trusted Platform Module)** -

    TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.

    -**DHA (Device HealthAttestation) feature** -

    The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

    +- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. -**MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)** -

    The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

    +- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel. -**MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)** -

    The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.

    -

    The following list of operations is performed by MAA-CSP:

    -
      -
    • Receives attestation trigger requests from a HealthAttestation enabled MDM provider.
      • -
    • The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device.
      • -
    • Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider.
      • -
    • Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.
      • -
    +- **MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)**: The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. -**MAA endpoint** -Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint. +- **MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**: The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service. -**JWT (JSON Web Token)** -JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. + The following list of operations is performed by MAA-CSP: + + - Receives attestation trigger requests from a HealthAttestation enabled MDM provider. + - The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device. + - Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider. + - Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device. + +- **MAA endpoint**: Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint. + +- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. ### Attestation Flow with Microsoft Azure Attestation Service ![Attestation Flow with Microsoft Azure Attestation Service](./images/maa-attestation-flow.png) -
    -

    Attestation flow can be broadly in three main steps:

    -
      -
    • An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
      • -
    • The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.
      • -
    • The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.
      • -
    +Attestation flow can be broadly in three main steps: -The protocol implemented can be found here: Attestation Protocol. +- An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features. +- The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved. +- The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device. + +For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol). ### Configuration Service Provider Nodes Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service. -``` + +```console ./Vendor/MSFT HealthAttestation ----... @@ -92,16 +86,17 @@ HealthAttestation ----MaxSupportedProtocolVersion ``` - **./Vendor/MSFT/HealthAttestation** -

    The root node for the device HealthAttestation configuration service provider.

    + +The root node for the device HealthAttestation configuration service provider. **TriggerAttestation** (Required) -

    Node type: EXECUTE -This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. -

    -

    Templated SyncML Call:

    +Node type: EXECUTE + +This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. + +Templated SyncML Call: ```xml @@ -127,16 +122,15 @@ This node will trigger attestation flow by launching an attestation process. If ``` -

    Data fields:

    -
      -
    • rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
      • -
    • serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
      • -
    • nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
      • -
    • aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service.
      • -
    • cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.
      • -
    +Data fields: -

    Sample Data:

    +- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. +- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. +- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. +- aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service. +- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes. + +Sample Data: ```json @@ -151,12 +145,13 @@ This node will trigger attestation flow by launching an attestation process. If ``` **AttestStatus** -

    Node type: GET + +Node type: GET + This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step. The status is always cleared prior to making the attest service call. -

    -

    Templated SyncML Call:

    +Templated SyncML Call: ```xml @@ -175,20 +170,21 @@ The status is always cleared prior to making the attest service call. ``` -

    Sample Data:

    +Sample Data: -``` +```console If Successful: 0 If Failed: A corresponding HRESULT error code Example: 0x80072efd, WININET_E_CANNOT_CONNECT ``` **GetAttestReport** -

    Node type: GET -This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. -

    -

    Templated SyncML Call:

    +Node type: GET + +This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. + +Templated SyncML Call: ```xml @@ -207,9 +203,9 @@ This node will retrieve the attestation report per the call made by the TriggerA ``` -

    Sample data:

    +Sample data: -``` +```console If Success: JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc If failed: @@ -218,10 +214,12 @@ OR Sync ML 404 error if not cached report available. ``` **GetServiceCorrelationIDs** -

    Node type: GET + +Node type: GET + This node will retrieve the service-generated correlation IDs for the given MDM provider. If there are more than one correlation IDs, they are separated by “;” in the string. -

    -

    Templated SyncML Call:

    + +Templated SyncML Call: ```xml @@ -240,226 +238,220 @@ This node will retrieve the service-generated correlation IDs for the given MDM ``` -

    Sample data:

    +Sample data: -> If success: -> GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM -> If Trigger Attestation call failed and no previous data is present. The field remains empty. -> Otherwise, the last service correlation id will be returned. In a successful attestation there are two -> calls between client and MAA and for each call the GUID is separated by semicolon. +```console +If success: +GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM +If Trigger Attestation call failed and no previous data is present. The field remains empty. +Otherwise, the last service correlation id will be returned. In a successful attestation there are two +calls between client and MAA and for each call the GUID is separated by semicolon. +``` -> **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported. +> [!NOTE] +> > MAA CSP nodes are available on arm64 but is not currently supported. ### MAA CSP Integration Steps -
      -
    1. Set up a MAA provider instance:
      -MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
      2. -
    2. Update the provider with an appropriate policy:
      -The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs -
      A Sample attestation policy: -``` -version=1.2; +1. Set up a MAA provider instance: MAA instance can be created following the steps at [Quickstart: Set up Azure Attestation by using the Azure portal](/azure/attestation/quickstart-portal]. -configurationrules{ -}; +2. Update the provider with an appropriate policy: The MAA instance should be updated with an appropriate policy. For more information, see [How to author an Azure Attestation policy](/azure/attestation/claim-rule-grammar). -authorizationrules { + A Sample attestation policy: + + ```console + version=1.2; + + configurationrules{ + }; + + authorizationrules { => permit(); -}; + }; -issuancerules{ + issuancerules{ -// SecureBoot enabled -c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); -c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); -![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); + // SecureBoot enabled + c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); + c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); + ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); -// Retrieve bool properties -c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); -c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); -![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); + // Retrieve bool properties + c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); + c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); -// Bitlocker Boot Status, The first non zero measurement or zero. -c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); -[type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); -![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); + // Bitlocker Boot Status, The first non zero measurement or zero. + c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); + [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); + ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); -// Elam Driver (windows defender) Loaded -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); -[type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); -![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); + // Elam Driver (windows defender) Loaded + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); + [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); + ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); -// Boot debugging -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); -c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); -![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); + // Boot debugging + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); + c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); -// Kernel Debugging -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); -c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); -![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); + // Kernel Debugging + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); + c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); -// DEP Policy -c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); -![type=="depPolicy"] => issue(type="depPolicy", value=0); + // DEP Policy + c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); + ![type=="depPolicy"] => issue(type="depPolicy", value=0); -// Test Signing -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); -c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); -![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); + // Test Signing + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); + c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); -// Flight Signing -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); -c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); -![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); + // Flight Signing + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); + c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); + ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); -// VSM enabled -c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); -c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); -![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); -c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); + // VSM enabled + c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); + c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); + c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); -// HVCI -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); -c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); -![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); + // HVCI + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); + c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); + ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); -// IOMMU -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); -c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); -![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); + // IOMMU + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); + c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); -// Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements -// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 -c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); -c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); -[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); + // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements + // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 + c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); + c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); + [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); -// Find the first EVENT_APPLICATION_SVN. -c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); -c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); -c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + // Find the first EVENT_APPLICATION_SVN. + c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); + c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); + c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); -// The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN -c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN + c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); -// OS Rev List Info -c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); + // OS Rev List Info + c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); -// Safe mode -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); -c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); -![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); + // Safe mode + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); + c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); + ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); -// Win PE -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); -c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); -![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); + // Win PE + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); + c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); + ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); -// CI Policy -c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); + // CI Policy + c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); -// Secure Boot Custom Policy -c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); + // Secure Boot Custom Policy + c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); -// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 -c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); -c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); -[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present + // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 + c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); + c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); + [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present -//Finding the Boot App SVN -// Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR -c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); -c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); -c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); + //Finding the Boot App SVN + // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); + c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); + c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); -// Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. -c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); -c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); -c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); + // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. + c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); + c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); -// Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. -c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); -c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); -c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. + c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); -// Finding the Boot Rev List Info -c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); + // Finding the Boot Rev List Info + c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); -}; -``` + }; + ``` -
      3. -
    3. Call TriggerAttestation with your rpid, AAD token and the attestURI:
      -Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Attestation) | Microsoft Docs
      4. -
    4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:
      -GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy. -
      +3. Call TriggerAttestation with your rpid, AAD token and the attestURI: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm). -```json - { - "typ": "JWT", - "alg": "RS256", - "x5c": [ - "MIIE.....=", - "MIIG.....=", - "MIIF.....=" - ], - "kid": "8FUer20z6wzf1rod044wOAFdjsg" - }.{ - "nbf": 1633664812, - "exp": 1634010712, - "iat": 1633665112, - "iss": "https://contosopolicy.eus.attest.azure.net", - "jti": "2b63663acbcafefa004d20969991c0b1f063c9be", - "ver": "1.0", - "x-ms-ver": "1.0", - "rp_data": "AQIDBA", - "nonce": "AQIDBA", - "cnf": { - "jwk": { - "kty": "RSA", - "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ", - "e": "AQAB" - } - }, - "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0", - "WindowsDefenderElamDriverLoaded": true, - "bitlockerEnabled": true, - "bitlockerEnabledValue": 4, - "bootAppSvn": 1, - "bootDebuggingDisabled": true, - "bootMgrSvn": 1, - "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw", - "codeIntegrityEnabled": true, - "codeIntegrityPolicy": [ - "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk", - "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o", - "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI", - "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc", - "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM" - ], - "depPolicy": 0, - "flightSigningNotEnabled": false, - "hvciEnabled": true, - "iommuEnabled": true, - "notSafeMode": true, - "notWinPE": true, - "osKernelDebuggingDisabled": true, - "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA", - "secureBootEnabled": true, - "testSigningDisabled": true, - "vbsEnabled": true - }.[Signature] -``` -
      5. -
    +4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties: GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy. + + ```json + { + "typ": "JWT", + "alg": "RS256", + "x5c": [ + "MIIE.....=", + "MIIG.....=", + "MIIF.....=" + ], + "kid": "8FUer20z6wzf1rod044wOAFdjsg" + }.{ + "nbf": 1633664812, + "exp": 1634010712, + "iat": 1633665112, + "iss": "https://contosopolicy.eus.attest.azure.net", + "jti": "2b63663acbcafefa004d20969991c0b1f063c9be", + "ver": "1.0", + "x-ms-ver": "1.0", + "rp_data": "AQIDBA", + "nonce": "AQIDBA", + "cnf": { + "jwk": { + "kty": "RSA", + "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ", + "e": "AQAB" + } + }, + "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0", + "WindowsDefenderElamDriverLoaded": true, + "bitlockerEnabled": true, + "bitlockerEnabledValue": 4, + "bootAppSvn": 1, + "bootDebuggingDisabled": true, + "bootMgrSvn": 1, + "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw", + "codeIntegrityEnabled": true, + "codeIntegrityPolicy": [ + "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk", "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o", "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI", "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc", "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM" + ], + "depPolicy": 0, + "flightSigningNotEnabled": false, + "hvciEnabled": true, + "iommuEnabled": true, + "notSafeMode": true, + "notWinPE": true, + "osKernelDebuggingDisabled": true, + "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA", + "secureBootEnabled": true, + "testSigningDisabled": true, + "vbsEnabled": true + }.[Signature] + ``` ### Learn More @@ -470,86 +462,75 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes ### Terms -**TPM (Trusted Platform Module)** -

    TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.

    +- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. -**DHA (Device HealthAttestation) feature** -

    The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

    +- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel. -**DHA-Enabled device (Device HealthAttestation enabled device)** -

    A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.

    +- **DHA-Enabled device (Device HealthAttestation enabled device)**: A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0. -**DHA-Session (Device HealthAttestation session)** -

    The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

    +- **DHA-Session (Device HealthAttestation session)**: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. -

    The following list of transactions is performed in one DHA-Session:

    -
      -
    • DHA-CSP and DHA-Service communication: -
      • DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
        • -
      • DHA-Service replies with an encrypted data blob (DHA-EncBlob)
        • -
      • + The following list of transactions is performed in one DHA-Session: -
    • DHA-CSP and MDM-Server communication: -
      • MDM-Server sends a device health verification request to DHA-CSP
        • -
      • DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob
        • -
      • + - DHA-CSP and DHA-Service communication: + - DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service + - DHA-Service replies with an encrypted data blob (DHA-EncBlob) -
    • MDM-Server and DHA-Service communication: -
      • MDM-Server posts data it receives from devices to DHA-Service
        • -
      • DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report)
        • -
      • -
    + - DHA-CSP and MDM-Server communication: + - MDM-Server sends a device health verification request to DHA-CSP + - DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob -healthattestation session diagram
    -DHA session data (Device HealthAttestation session data) -

    The following list of data is produced or consumed in one DHA-Transaction:

    -
      -
    • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.
      • -
    • DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
      • -
    • DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
      • -
    • DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts: -
        -
      • DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
        • -
      • DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP
        • -
      -
      • -
    • DHA-Report: the report that is issued by DHA-Service to MDM-Server
      • -
    • Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks
      • -
    + - MDM-Server and DHA-Service communication: + - MDM-Server posts data it receives from devices to DHA-Service + - DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report) -DHA-Enabled MDM (Device HealthAttestation enabled device management solution) -

    Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.

    -

    DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.

    -

    The following list of operations is performed by DHA-Enabled-MDM

    -
      -
    • Enables the DHA feature on a DHA-Enabled device
      • -
    • Issues device health attestation requests to enrolled/managed devices
      • -
    • Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification
      • -
    • Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action
      • -
    + ![DHA session healthattestation session diagram](./images/HealthAttestation_1.png) -DHA-CSP (Device HealthAttestation Configuration Service Provider) -

    The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.

    -

    The following list of operations is performed by DHA-CSP:

    -
      -
    • Collects device boot data (DHA-BootData) from a managed device
      • -
    • Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
      • -
    • Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
      • -
    • Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
      • -
    +- **DHA session data (Device HealthAttestation session data)**: The following list of data is produced or consumed in one DHA-Transaction: -DHA-Service (Device HealthAttestation Service) -

    Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

    + - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health. + - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices. + - DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. + - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts: -

    DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

    -

    The following list of operations is performed by DHA-Service:

    + - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service + - DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP -- Receives device boot data (DHA-BootData) from a DHA-Enabled device
    • -- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) -- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device -- Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report) + - DHA-Report: the report that is issued by DHA-Service to MDM-Server + - Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks -![healthattestation service diagram.](images/healthattestation_2.png) +- **DHA-Enabled MDM (Device HealthAttestation enabled device management solution)**: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature. + + DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system. + + The following list of operations is performed by DHA-Enabled-MDM + + - Enables the DHA feature on a DHA-Enabled device + - Issues device health attestation requests to enrolled/managed devices + - Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification + - Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action + +- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed. + + The following list of operations is performed by DHA-CSP: + + - Collects device boot data (DHA-BootData) from a managed device + - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) + - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device + - Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) + +- **DHA-Service (Device HealthAttestation Service)**: Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel. + + DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios. + + The following list of operations is performed by DHA-Service: + + - Receives device boot data (DHA-BootData) from a DHA-Enabled device + - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) + - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device + - Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report) + +![Health Attestation service diagram for the different DHS services](./images/HealthAttestation_2.png) |DHA-Service type|Description|Operation cost| |--- |--- |--- | @@ -561,7 +542,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes The following shows the Device HealthAttestation configuration service provider in tree format. -``` +```console ./Vendor/MSFT HealthAttestation ----VerifyHealth @@ -576,20 +557,24 @@ HealthAttestation ----PreferredMaxProtocolVersion ----MaxSupportedProtocolVersion ``` + **./Vendor/MSFT/HealthAttestation** -

    The root node for the device HealthAttestation configuration service provider.

    + +The root node for the device HealthAttestation configuration service provider. **VerifyHealth** (Required) -

    Notifies the device to prepare a device health verification request.

    -

    The supported operation is Execute.

    +Notifies the device to prepare a device health verification request. + +The supported operation is Execute. **Status** (Required) -

    Provides the current status of the device health request.

    -

    The supported operation is Get.

    +Provides the current status of the device health request. -

    The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes.

    +The supported operation is Get. + +The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes. - 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device @@ -597,42 +582,47 @@ HealthAttestation - 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup **ForceRetrieve** (Optional) -

    Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.

    -

    Boolean value. The supported operation is Replace.

    +Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service. + +Boolean value. The supported operation is Replace. **Certificate** (Required) -

    Instructs the DHA-CSP to forward DHA-Data to the MDM server.

    -

    Value type is b64. The supported operation is Get.

    +Instructs the DHA-CSP to forward DHA-Data to the MDM server. + +Value type is b64. The supported operation is Get. **Nonce** (Required) -

    Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.

    -

    The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.

    +Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. -

    The supported operations are Get and Replace.

    +The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes. + +The supported operations are Get and Replace. **CorrelationId** (Required) -

    Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.

    -

    Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.

    +Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting. + +Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get. **HASEndpoint** (Optional) -

    Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.

    -

    Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.

    +Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. + +Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com. **TpmReadyStatus** (Required) -

    Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.

    -

    Value type is integer. The supported operation is Get.

    -### **DHA-CSP integration steps** +Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state. +Value type is integer. The supported operation is Get. + +### DHA-CSP integration steps The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM): - 1. [Verify HTTPS access](#verify-access) 2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service) 3. [Instruct client to prepare DHA-data for verification](#prepare-health-data) @@ -644,14 +634,13 @@ The following list of validation and development tasks are required for integrat Each step is described in detail in the following sections of this topic. -### **Step 1: Verify HTTPS access** - +### Step 1: Verify HTTPS access Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS). You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service: -``` syntax +```powershell PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443 CONNECTED(000001A8) --- @@ -696,8 +685,7 @@ SSL-Session: Verify return code: 20 (unable to get local issuer certificate) ``` - -### **Step 2: Assign an enterprise trusted DHA-Service** +### Step 2: Assign an enterprise trusted DHA-Service There are three types of DHA-Service: - Device Health Attestation – Cloud (owned and operated by Microsoft) @@ -722,9 +710,7 @@ The following example shows a sample call that instructs a managed device to com ``` - -### **Step 3: Instruct client to prepare health data for verification** - +### Step 3: Instruct client to prepare health data for verification Send a SyncML call to start collection of the DHA-Data. @@ -750,7 +736,7 @@ The following example shows a sample call that triggers collection and verificat ``` -### **Step 4: Take action based on the clients response** +### Step 4: Take action based on the clients response After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. @@ -778,7 +764,7 @@ Here is a sample alert that is issued by DHA_CSP: ``` - If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). -### **Step 5: Instruct the client to forward health attestation data for verification** +### Step 5: Instruct the client to forward health attestation data for verification Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. @@ -815,39 +801,40 @@ Here is an example: ``` -### **Step 6: Forward device health attestation data to DHA-service** - +### Step 6: Forward device health attestation data to DHA-service In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node). -When the MDM-Server receives the above data, it must: +When the MDM-Server receives the above data, it must: + - Log the CorrelationId it receives from the device (for future troubleshooting/reference), correlated to the call. - Decode the XML formatted data blob it receives from the device - Append the nonce that was generated by MDM service (add the nonce that was forwarded to the device in Step 5) to the XML structure that was forwarded by the device in following format: -```xml - - - [INT] - [base64 blob, eg ‘ABc123+/…==’] - [base64 blob, eg ‘ABc123+/...==’] - - -``` + ```xml + + + [INT] + [base64 blob, eg ‘ABc123+/…==’] + [base64 blob, eg ‘ABc123+/...==’] + + + ``` + - Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on: - - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3 - - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3 + + - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3 + - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3 -### **Step 7: Receive response from the DHA-service** +### Step 7: Receive response from the DHA-service When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps: - Decrypts the encrypted data it receives. - Validates the data it has received - Creates a report, and shares the evaluation results to the MDM server via SSL in XML format -### **Step 8: Take appropriate policy action based on evaluation results** - +### Step 8: Take appropriate policy action based on evaluation results After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be: @@ -892,14 +879,16 @@ The following list of data points is verified by the DHA-Service in DHA-Report v Each of these are described in further detail in the following sections, along with the recommended actions to take. **Issued** -

    The date and time DHA-report was evaluated or issued to MDM.

    + +The date and time DHA-report was evaluated or issued to MDM. **AIKPresent** -

    When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.

    -

    If AIKPresent = True (1), then allow access.

    +When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate. -

    If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:

    +If AIKPresent = True (1), then allow access. + +If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -907,24 +896,27 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) -

    This attribute reports the number of times a PC device has hibernated or resumed.

    + +This attribute reports the number of times a PC device has hibernated or resumed. **RestartCount** (Reported only for devices that support TPM 2.0) -

    This attribute reports the number of times a PC device has rebooted

    + +This attribute reports the number of times a PC device has rebooted. **DEPPolicy** -

    A device can be trusted more if the DEP Policy is enabled on the device.

    -

    Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.

    +A device can be trusted more if the DEP Policy is enabled on the device. -

    DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:

    +Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on. + +DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script: - To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** - To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** -

    If DEPPolicy = 1 (On), then allow access.

    +If DEPPolicy = 1 (On), then allow access. -

    If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:

    +If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -932,15 +924,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) -

    When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

    -

    Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

    +When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. -

    If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.

    +Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. -

    If BitLockerStatus = 1 (On), then allow access.

    +If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. -

    If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:

    +If BitLockerStatus = 1 (On), then allow access. + +If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -948,11 +941,12 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** -

    This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.

    -

    If BootManagerRevListVersion = [CurrentVersion], then allow access.

    +This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment. -

    If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

    +If BootManagerRevListVersion = [CurrentVersion], then allow access. + +If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI and MBI assets @@ -960,11 +954,12 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion** -

    This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.

    -

    If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.

    +This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action. -

    If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

    +If CodeIntegrityRevListVersion = [CurrentVersion], then allow access. + +If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI and MBI assets @@ -972,11 +967,12 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled** -

    When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.

    -

    If SecureBootEnabled = 1 (True), then allow access.

    +When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot. -

    If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

    +If SecureBootEnabled = 1 (True), then allow access. + +If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -984,16 +980,17 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -

    Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

    -

    Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:

    +Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development. + +Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script: - To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** - To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** -

    If BootdebuggingEnabled = 0 (False), then allow access.

    +If BootdebuggingEnabled = 0 (False), then allow access. -

    If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

    +If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1001,11 +998,12 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled** -

    OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

    -

    If OSKernelDebuggingEnabled = 0 (False), then allow access.

    +OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development. -

    If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

    +If OSKernelDebuggingEnabled = 0 (False), then allow access. + +If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1013,15 +1011,16 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled** -

    When code integrity is enabled, code execution is restricted to integrity verified code.

    -

    Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.

    +When code integrity is enabled, code execution is restricted to integrity verified code. -

    On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

    +Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges. -

    If CodeIntegrityEnabled = 1 (True), then allow access.

    +On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. -

    If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

    +If CodeIntegrityEnabled = 1 (True), then allow access. + +If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1029,16 +1028,17 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** -

    When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.

    -

    Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:

    +When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot. + +Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script: - To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** - To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** -

    If TestSigningEnabled = 0 (False), then allow access.

    +If TestSigningEnabled = 0 (False), then allow access. -

    If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

    +If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI and MBI assets @@ -1046,33 +1046,36 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode** -

    Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

    -

    If SafeMode = 0 (False), then allow access.

    +Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started. -

    If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:

    +If SafeMode = 0 (False), then allow access. + +If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **WinPE** -

    Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.

    -

    If WinPE = 0 (False), then allow access.

    +Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup. -

    If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.

    +If WinPE = 0 (False), then allow access. + +If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation. **ELAMDriverLoaded** (Windows Defender) -

    To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

    -

    In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.

    +To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. -

    If a device is expected to use a third-party antivirus program, ignore the reported state.

    +In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot. -

    If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.

    +If a device is expected to use a third-party antivirus program, ignore the reported state. -

    If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:

    +If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access. + +If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device: - Disallow all access - Disallow access to HBI assets @@ -1080,61 +1083,63 @@ Each of these are described in further detail in the following sections, along w **Bcdedit.exe /set {current} vsmlaunchtype auto** -

    If ELAMDriverLoaded = 1 (True), then allow access.

    +If ELAMDriverLoaded = 1 (True), then allow access. -

    If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:

    +If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** -

    Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.

    -

    VSM can be enabled by using the following command in WMI or a PowerShell script:

    +Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering. -

    bcdedit.exe /set {current} vsmlaunchtype auto

    +VSM can be enabled by using the following command in WMI or a PowerShell script: -

    If VSMEnabled = 1 (True), then allow access.

    -

    If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

    +`bcdedit.exe /set {current} vsmlaunchtype auto` + +If VSMEnabled = 1 (True), then allow access. +If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue **PCRHashAlgorithmID** -

    This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.

    + +This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required. **BootAppSVN** -

    This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device

    -

    If reported BootAppSVN equals an accepted value, then allow access.

    +This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device -

    If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

    +If reported BootAppSVN equals an accepted value, then allow access. + +If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **BootManagerSVN** -

    This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.

    -

    If reported BootManagerSVN equals an accepted value, then allow access.

    +This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device. -

    If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

    +If reported BootManagerSVN equals an accepted value, then allow access. + +If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **TPMVersion** -

    This attribute identifies the version of the TPM that is running on the attested device.

    -

    TPMVersion node provides to replies "1" and "2":

    - +This attribute identifies the version of the TPM that is running on the attested device. TPMVersion node provides to replies "1" and "2": -

    Based on the reply you receive from TPMVersion node:

    +- 1 means TPM specification version 1.2 +- 2 means TPM specification version 2.0 + +Based on the reply you receive from TPMVersion node: - If reported TPMVersion equals an accepted value, then allow access. - If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: @@ -1142,112 +1147,194 @@ Each of these are described in further detail in the following sections, along w - Direct the device to an enterprise honeypot, to further monitor the device's activities. **PCR0** -

    The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

    -

    Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.

    +The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer. -

    If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.

    +Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison. -

    If PCR[0] equals an accepted allow list value, then allow access.

    +If your enterprise does not have a allow list of accepted PCR[0] values, then take no action. -

    If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:

    +If PCR[0] equals an accepted allow list value, then allow access. + +If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **SBCPHash** -

    SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.

    -

    If SBCPHash is not present, or is an accepted allow-listed value, then allow access. +SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs. -

    If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:

    +If SBCPHash is not present, or is an accepted allow-listed value, then allow access. + +If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **CIPolicy** -

    This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.

    -

    If CIPolicy is not present, or is an accepted allow-listed value, then allow access.

    +This attribute indicates the Code Integrity policy that is controlling the security of the boot environment. -

    If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:

    +If CIPolicy is not present, or is an accepted allow-listed value, then allow access. + +If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **BootRevListInfo** -

    This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.

    -

    If reported BootRevListInfo version equals an accepted value, then allow access.

    +This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device. -

    If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

    +If reported BootRevListInfo version equals an accepted value, then allow access. + +If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **OSRevListInfo** -

    This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.

    -

    If reported OSRevListInfo version equals an accepted value, then allow access.

    +This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device. -

    If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

    +If reported OSRevListInfo version equals an accepted value, then allow access. + +If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **HealthStatusMismatchFlags** -

    HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.

    -

    In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.

    +HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation. -### **Device HealthAttestation CSP status and error codes** +In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute. -|Error code|Error name|Description| -|--- |--- |--- | -|0|HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED|This is the initial state for devices that have never participated in a DHA-Session.| -|1|HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED|This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.| -|2|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED|This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.| -|3|HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE|This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.| -|4|HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL|Deprecated in Windows 10, version 1607.| -|5|HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL|DHA-CSP failed to get a claim quote.| -|6|HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY|DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.| -|7|HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL|DHA-CSP failed in retrieving Windows AIK| -|8|HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL|Deprecated in Windows 10, version 1607.| -|9|HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION|Invalid TPM version (TPM version is not 1.2 or 2.0)| -|10|HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL|Nonce was not found in the registry.| -|11|HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL|Correlation ID was not found in the registry.| -|12|HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL|Deprecated in Windows 10, version 1607.| -|13|HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL|Deprecated in Windows 10, version 1607.| -|14|HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL|Failure in Encoding functions. (Extremely unlikely scenario)| -|15|HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL|Deprecated in Windows 10, version 1607.| -|16|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML|DHA-CSP failed to load the payload it received from DHA-Service| -|17|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML|DHA-CSP received a corrupted response from DHA-Service.| -|18|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML|DHA-CSP received an empty response from DHA-Service.| -|19|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK|DHA-CSP failed in decrypting the AES key from the EK challenge.| -|20|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK|DHA-CSP failed in decrypting the health cert with the AES key.| -|21|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB|DHA-CSP failed in exporting the AIK Public Key.| -|22|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY|DHA-CSP failed in trying to create a claim with AIK attestation data.| -|23|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB|DHA-CSP failed in appending the AIK Pub to the request blob.| -|24|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT|DHA-CSP failed in appending the AIK Cert to the request blob.| -|25|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE|DHA-CSP failed to obtain a Session handle.| -|26|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE|DHA-CSP failed to connect to the DHA-Service.| -|27|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE|DHA-CSP failed to create an HTTP request handle.| -|28|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION|DHA-CSP failed to set options.| -|29|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS|DHA-CSP failed to add request headers.| -|30|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST|DHA-CSP failed to send the HTTP request.| -|31|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE|DHA-CSP failed to receive a response from the DHA-Service.| -|32|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS|DHA-CSP failed to query headers when trying to get HTTP status code.| -|33|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE|DHA-CSP received an empty response from DHA-Service even though HTTP status was OK.| -|34|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE|DHA-CSP received an empty response along with an HTTP error code from DHA-Service.| -|35|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER|DHA-CSP failed to impersonate user.| -|36|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR|DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.| -|0xFFFF|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN|DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.| -|400|Bad_Request_From_Client|DHA-CSP has received a bad (malformed) attestation request.| -|404|Endpoint_Not_Reachable|DHA-Service is not reachable by DHA-CSP| +### Device HealthAttestation CSP status and error codes + +Error code: 0 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED +Error description: This is the initial state for devices that have never participated in a DHA-Session. + +Error code: 1 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED +Error description: This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. + +Error code: 2 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED +Error description: This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. + +Error code: 3 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE +Error description: This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. + +Error code: 4 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL +Error description: Deprecated in Windows 10, version 1607. + +Error code: 5 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL +Error description: DHA-CSP failed to get a claim quote. + +Error code: 6 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY +Error description: DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. + +Error code: 7 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL +Error description: DHA-CSP failed in retrieving Windows AIK + +Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL +Error description: Deprecated in Windows 10, version 1607. + +Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION +Error description: Invalid TPM version (TPM version is not 1.2 or 2.0) + +Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL +Error description: Nonce was not found in the registry. + +Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL +Error description: Correlation ID was not found in the registry. + +Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL +Error description: Deprecated in Windows 10, version 1607. + +Error code: 13 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL +Error description: Deprecated in Windows 10, version 1607. + +Error code: 14 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL +Error description: Failure in Encoding functions. (Extremely unlikely scenario) + +Error code: 15 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL +Error description: Deprecated in Windows 10, version 1607. + +Error code: 16 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML +Error description: DHA-CSP failed to load the payload it received from DHA-Service + +Error code: 17 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML +Error description: DHA-CSP received a corrupted response from DHA-Service. + +Error code: 18 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML +Error description: DHA-CSP received an empty response from DHA-Service. + +Error code: 19 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK +Error description: DHA-CSP failed in decrypting the AES key from the EK challenge. + +Error code: 20 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK +Error description: DHA-CSP failed in decrypting the health cert with the AES key. + +Error code: 21 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB +Error description: DHA-CSP failed in exporting the AIK Public Key. + +Error code: 22 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY +Error description: DHA-CSP failed in trying to create a claim with AIK attestation data. + +Error code: 23 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB +Error description: DHA-CSP failed in appending the AIK Pub to the request blob. + +Error code: 24 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT +Error description: DHA-CSP failed in appending the AIK Cert to the request blob. + +Error code: 25 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE +Error description: DHA-CSP failed to obtain a Session handle. + +Error code: 26 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE +Error description: DHA-CSP failed to connect to the DHA-Service. + +Error code: 27 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHAND +Error description: DHA-CSP failed to create an HTTP request handle. + +Error code: 28 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION +Error description: DHA-CSP failed to set options. + +Error code: 29 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS +Error description: DHA-CSP failed to add request headers. + +Error code: 30 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST +Error description: DHA-CSP failed to send the HTTP request. + +Error code: 31 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE +Error description: DHA-CSP failed to receive a response from the DHA-Service. + +Error code: 32 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS +Error description: DHA-CSP failed to query headers when trying to get HTTP status code. + +Error code: 33 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE +Error description: DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. + +Error code: 34 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE +Error description: DHA-CSP received an empty response along with an HTTP error code from DHA-Service. + +Error code: 35 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER +Error description: DHA-CSP failed to impersonate user. + +Error code: 36 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR +Error description: DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. + +Error code: 0xFFFF | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN +Error description: DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. + +Error code: 400 | Error name: Bad_Request_From_Client +Error description: DHA-CSP has received a bad (malformed) attestation request. + +Error code: 404 | Error name: Endpoint_Not_Reachable +Error description: DHA-Service is not reachable by DHA-CSP ### DHA-Report V3 schema - ```xml **./Vendor/MSFT/NAP** Root node. @@ -113,17 +113,7 @@ Node. ***NAPX*/Bearer/BearerType** Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi. -## Related topics - +## Related articles [Configuration service provider reference](configuration-service-provider-reference.md) -   - -  - - - - - - From 7e24feeec760be41d6011e5259c2aca28b1a3f20 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 16 Nov 2021 14:33:56 -0500 Subject: [PATCH 06/14] formatting --- windows/client-management/mdm/napdef-csp.md | 29 +++++---------------- 1 file changed, 6 insertions(+), 23 deletions(-) diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 2c7ac27df6..c145824e5c 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -14,16 +14,12 @@ ms.date: 06/26/2017 # NAPDEF CSP - The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a. -> **Note**  You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list. +> [!Note] +> You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list. > -> -> -> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. - - +> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application. The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. @@ -77,9 +73,8 @@ Specifies the protocol used to authenticate the user. The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note -> **Note**  **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change. - - +> [!Note] +> **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change. **BEARER** Specifies the type of bearer. @@ -124,7 +119,6 @@ The name of the *NAPID* element is the same as the value passed during initial b ## Microsoft Custom Elements - The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. |Elements|Available| @@ -134,17 +128,6 @@ The following table shows the Microsoft custom elements that this configuration |Nocharacteristic|Yes| |Characteristic-query|Yes| -## Related topics - +## Related articles [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - From 85e675b07aa1f3e69b3182b0a1ec47eafdb22574 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 16 Nov 2021 14:37:36 -0500 Subject: [PATCH 07/14] Fixed table formatting --- windows/client-management/mdm/office-csp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index d505f71d74..280b16b2cf 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -21,7 +21,8 @@ This CSP was added in Windows 10, version 1703. For more information, see [Office DDF](office-ddf.md). The following shows the Office configuration service provider in tree format. -``` + +```console ./Vendor/MSFT Office ----Installation @@ -46,6 +47,7 @@ Office ------------Install ------------Status ``` + **./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office** The root node for the Office configuration service provider.

    @@ -159,10 +161,8 @@ To get the current status of Office 365 on the device. |1460|ERROR_TIMEOUT
    Failed to download ODT|Failure| |1602|ERROR_INSTALL_USEREXIT
    User canceled the installation|Failure| |1603|ERROR_INSTALL_FAILURE
    Failed any pre-req check.
  • SxS (Tried to install when 2016 MSI is installed)
  • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure| -|17000|ERROR_PROCESSPOOL_INITIALIZATION -Failed to start C2RClient|Failure| -|17001|ERROR_QUEUE_SCENARIO -Failed to queue installation scenario in C2RClient|Failure| +|17000|ERROR_PROCESSPOOL_INITIALIZATION
    Failed to start C2RClient|Failure| +|17001|ERROR_QUEUE_SCENARIO
    Failed to queue installation scenario in C2RClient|Failure| |17002|ERROR_COMPLETING_SCENARIO
    Failed to complete the process. Possible reasons:
  • Installation canceled by user
  • Installation canceled by another installation
  • Out of disk space during installation
  • Unknown language ID|Failure| |17003|ERROR_ANOTHER_RUNNING_SCENARIO
    Another scenario is running|Failure| |17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
    Possible reasons:
  • Unknown SKUs
  • Content does't exist on CDN
    • Such as trying to install an unsupported LAP, like zh-sg
    • CDN issue that content is not available
  • Signature check issue, such as failed the signature check for Office content
  • User canceled|Failure| From 54bbdfdd5e694f1f50a9ad423e79b90eda93b129 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 16 Nov 2021 14:50:50 -0500 Subject: [PATCH 08/14] Formatting --- .../mdm/oma-dm-protocol-support.md | 94 ++++++++----------- 1 file changed, 39 insertions(+), 55 deletions(-) diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index e0f5141f02..0237669cbd 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -17,20 +17,6 @@ ms.date: 06/26/2017 The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). - -## In this topic - -- [OMA DM standards](#oma-dm-standards) - -- [OMA DM protocol common elements](#protocol-common-elements) - -- [Device management session](#device-management-session) - -- [User targeted vs. Device targeted configuration](#user-targeted-vs-device-targeted-configuration) - -- [SyncML response codes](#syncml-response-codes) - - ## OMA DM standards The following table shows the OMA DM standards that Windows uses. @@ -39,11 +25,11 @@ The following table shows the OMA DM standards that Windows uses. |--- |--- | |Data transport and session|
  • Client-initiated remote HTTPS DM session over SSL.
  • Remote HTTPS DM session over SSL.
  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.| |Bootstrap XML|OMA Client Provisioning XML.| -|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
  • Add (Implicit Add supported)
  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
  • Exec: Invokes an executable on the client device
  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
  • Replace: Overwrites data on the client device
  • Result: Returns the data results of a Get command to the DM server
  • Sequence: Specifies the order in which a group of commands must be processed
  • Status: Indicates the completion status (success or failure) of an operation
    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
  • SyncBody
  • Atomic
  • Sequence
    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
    If Atomic elements are nested, the following status codes are returned:
  • The nested Atomic command returns 500.
  • The parent Atomic command returns 507.
    For more information about the Atomic command, see OMA DM protocol common elements.
    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
    LocURI cannot start with "/".
    Meta XML tag in SyncHdr is ignored by the device.| +|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
  • Add (Implicit Add supported)
  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
  • Exec: Invokes an executable on the client device
  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
  • Replace: Overwrites data on the client device
  • Result: Returns the data results of a Get command to the DM server
  • Sequence: Specifies the order in which a group of commands must be processed
  • Status: Indicates the completion status (success or failure) of an operation

    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
  • SyncBody
  • Atomic
  • Sequence

    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

    If Atomic elements are nested, the following status codes are returned:
  • The nested Atomic command returns 500.
  • The parent Atomic command returns 507.

    For more information about the Atomic command, see OMA DM protocol common elements.
    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.

    LocURI cannot start with `/`.

    Meta XML tag in SyncHdr is ignored by the device.| |OMA DM standard objects|DevInfo
  • DevDetail
  • OMA DM DMS account objects (OMA DM version 1.2)| |Security|
  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
  • Application layer Basic and MD5 client authentication
  • Authenticate server with MD5 credential at application level
  • Data integrity and authentication with HMAC at application level
  • SSL level certificate-based client/server authentication, encryption, and data integrity check| -|Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "" can be part of the node name.
  • The node name cannot be empty.
  • The node name cannot be only the asterisk (*) character.| -|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | +|Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "." can be part of the node name.
  • The node name cannot be empty.
  • The node name cannot be only the asterisk (*) character.| +|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).

    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.| |Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| @@ -86,17 +72,25 @@ A DM session can be divided into two phases: 1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. 2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. -The following table shows the sequence of events during a typical DM session. +The following information shows the sequence of events during a typical DM session. -|Step|Action|Description| -|--- |--- |--- | -|1|DM client is invoked to call back to the management server

    Enterprise scenario – The device task schedule invokes the DM client.|The MO server sends a server trigger message to invoke the DM client.

    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.| -|2|The device sends a message, over an IP connection, to initiate the session.|This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.| -|3|The DM server responds, over an IP connection (HTTPS).|The server sends initial device management commands, if any.| -|4|The device responds to server management commands.|This message includes the results of performing the specified device management operations.| -|5|The DM server terminates the session or sends another command.|The DM session ends, or Step 4 is repeated.| +1. DM client is invoked to call back to the management server

    Enterprise scenario – The device task schedule invokes the DM client. -The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). + The MO server sends a server trigger message to invoke the DM client. + + The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS. + +2. The device sends a message, over an IP connection, to initiate the session. + + This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. + +3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. + +4. The device responds to server management commands. This message includes the results of performing the specified device management operations. + +5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. + +The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. @@ -117,7 +111,7 @@ The data part of this alert could be one of following strings: Below is an alert example: -``` +```xml 1 1224 @@ -143,37 +137,27 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. -| Status code | Description | -|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 200 | The SyncML command completed successfully. | -| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | +| Status code | Description | +|---|----| +| 200 | The SyncML command completed successfully. | +| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | | 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. | -| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. | -| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | -| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | -| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | -| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. | -| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | -| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. | -| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | -| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | -| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | -| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | -| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | +| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. | +| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | +| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | +| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | +| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. | +| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | +| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. | +| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | +| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | +| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | +| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | +| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | | 500 | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code. | -| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | -| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | - - +| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | +| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - From 39f6b3841b9e677b9cc2db78780bea409f495251 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 16 Nov 2021 15:33:52 -0500 Subject: [PATCH 09/14] Fixed note, important --- windows/client-management/mdm/hotspot-csp.md | 33 +++++++++----------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index ab23f17606..897e8ee489 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -17,13 +17,10 @@ ms.date: 06/26/2017 The HotSpot configuration service provider is used to configure and enable Internet sharing on the device, in which the device can be configured to share its cellular connection over Wi-Fi with up to eight client devices or computers. -> **Note**  HotSpot CSP is only supported in Windows 10 Mobile. +> [!Note] +> HotSpot CSP is only supported in Windows 10 Mobile. > -> -> -> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application. - - +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application. The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider. @@ -62,8 +59,8 @@ By default, any available connection will be used as a public connection. Howeve Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections. -> **Note**   The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well. - +> [!Note] +> The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well. If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share @@ -77,9 +74,8 @@ If a CDMA mobile operator requires using a Tethering NAI during Internet sharing Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections. -> **Note**   The mapping policy will also include the connections specified in the **DedicatedConnections** as well. - - +> [!Note] +> The mapping policy will also include the connections specified in the **DedicatedConnections** as well. If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share @@ -109,8 +105,8 @@ Optional. Reference to a localized string, provided by the mobile operator, that Where `` is the path to the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](/windows/win32/intl/using-registry-string-redirection) on MSDN. -> **Note**  MOAppLink is required to use the MOHelpMessage setting. - +> [!Note] +> MOAppLink is required to use the MOHelpMessage setting. **EntitlementRequired** @@ -137,14 +133,14 @@ Optional. The time-out value, in minutes, after which Internet sharing is automa Changes to this node require a reboot. **MinWifiKeyLength** -> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8. - +> [!Important] +> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8. **MinWifiSSIDLength** -> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1. - +> [!Important] +> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1. ## Additional requirements for CDMA networks @@ -169,7 +165,8 @@ For CDMA networks that use a separate Network Access Identity (NAI) for Internet ``` -> **Note**  CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on. +> [!Note] +> CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on. From 9626a68f2a63ef2e76f3e1decfc4408ab765abc5 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 16 Nov 2021 15:50:40 -0500 Subject: [PATCH 10/14] Removed error messages into bullets --- .../mdm/mobile-device-enrollment.md | 99 +++++++++++++++---- 1 file changed, 80 insertions(+), 19 deletions(-) diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 8b9380767e..149069b97b 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -110,15 +110,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma ``` -|Namespace|Subcode|Error|Description|HRESULT| -|--- |--- |--- |--- |--- | -|s:|MessageFormat|MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|Invalid message from the Mobile Device Management (MDM) server.|80180001| -|s:|Authentication|MENROLL_E_DEVICE_AUTHENTICATION_ERROR|The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.|80180002| -|s:|Authorization|MENROLL_E_DEVICE_AUTHORIZATION_ERROR|The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.|80180003| -|s:|CertificateRequest|MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR|The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.|80180004| -|s:|EnrollmentServer|MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.|80180005| -|a:|InternalServiceFault|MENROLL_E_DEVICE_INTERNALSERVICE_ERROR|There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.|80180006| -|a:|InvalidSecurity|MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.|80180007| +**Sample error messages** + +- **Namespace**: `s:` + - **Subcode**: MessageFormat + - **Error**: MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR + - **Description**: Invalid message from the Mobile Device Management (MDM) server. + - **HRESULT**: 80180001 + +- **Namespace**: `s:` + - **Subcode**: Authentication + - **Error**: MENROLL_E_DEVICE_AUTHENTICATION_ERROR + - **Description**: The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. + - **HRESULT**: 80180002 + +- **Namespace**: `s:` + - **Subcode**: Authorization + - **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR + - **Description**: The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. + - **HRESULT**: 80180003 + +- **Namespace**: `s:` + - **Subcode**: CertificateRequest + - **Error**: MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR + - **Description**: The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. + - **HRESULT**: 80180004 + +- **Namespace**: `s:` + - **Subcode**: EnrollmentServer + - **Error**: MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR + - **Description**: The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. + - **HRESULT**: 80180005 + +- **Namespace**: `a:` + - **Subcode**: InternalServiceFault + - **Error**: MENROLL_E_DEVICE_INTERNALSERVICE_ERROR + - **Description**: There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. + - **HRESULT**: 80180006 + +- **Namespace**: `a:` + - **Subcode**: InvalidSecurity + - **Error**: MENROLL_E_DEVICE_INVALIDSECURITY_ERROR + - **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. + - **HRESULT**: 80180007 In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example: @@ -152,15 +186,42 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. ``` -|Subcode|Error|Description|HRESULT| -|--- |--- |--- |--- | -|DeviceCapReached|MENROLL_E_DEVICECAPREACHED|The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.|80180013| -|DeviceNotSupported|MENROLL_E_DEVICENOTSUPPORTED|The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.|80180014| -|NotSupported|MENROLL_E_NOT_SUPPORTED|Mobile Device Management (MDM) is generally not supported for this device.|80180015| -|NotEligibleToRenew|MENROLL_E_NOTELIGIBLETORENEW|The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.|80180016| -|InMaintenance|MENROLL_E_INMAINTENANCE|The Mobile Device Management (MDM) server states your account is in maintenance, try again later.|80180017| -|UserLicense|MENROLL_E_USER_LICENSE|There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.|80180018| -|InvalidEnrollmentData|MENROLL_E_ENROLLMENTDATAINVALID|The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.|80180019| +**Sample error messages** + +- **Subcode**: DeviceCapReached + - **Error**: MENROLL_E_DEVICECAPREACHED + - **Description**: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. + - **HRESULT**: 80180013 + +- **Subcode**: DeviceNotSupported + - **Error**: MENROLL_E_DEVICENOTSUPPORTED + - **Description**: The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. + - **HRESULT**: 80180014 + +- **Subcode**: NotSupported + - **Error**: MENROLL_E_NOT_SUPPORTED + - **Description**: Mobile Device Management (MDM) is generally not supported for this device. + - **HRESULT**: 80180015 + +- **Subcode**: NotEligibleToRenew + - **Error**: MENROLL_E_NOTELIGIBLETORENEW + - **Description**: The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. + - **HRESULT**: 80180016 + +- **Subcode**: InMaintenance + - **Error**: MENROLL_E_INMAINTENANCE + - **Description**: The Mobile Device Management (MDM) server states your account is in maintenance, try again later. + - **HRESULT**: 80180017 + +- **Subcode**: UserLicense + - **Error**: MENROLL_E_USER_LICENSE + - **Description**: There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. + - **HRESULT**: 80180018 + +- **Subcode**: InvalidEnrollmentData + - **Error**: MENROLL_E_ENROLLMENTDATAINVALID + - **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. + - **HRESULT**: 80180019 TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. @@ -169,4 +230,4 @@ TraceID is a freeform text node which is logged. It should identify the server s - [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) - [Federated authentication device enrollment](federated-authentication-device-enrollment.md) - [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) \ No newline at end of file +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) From 0af883e11c7f5f9169cc8dfd33945d17659a2d18 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 16 Nov 2021 14:07:27 -0800 Subject: [PATCH 11/14] Changed label on code block --- windows/client-management/mdm/healthattestation-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 3f2e38b93b..83e90a87ec 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -640,7 +640,7 @@ Validate that both the MDM server and the device (MDM client) can access has.sps You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service: -```powershell +```console PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443 CONNECTED(000001A8) --- From f1e0f7da406b1e1f5b28d1d8325fcf54a8a36d27 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 16 Nov 2021 14:07:54 -0800 Subject: [PATCH 12/14] Added image border via newer style image ref --- .../mdm/implement-server-side-mobile-application-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 65f11b56b4..6313e10ef7 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  -![Mobile application management app.](images/implement-server-side-mobile-application-management.png) +:::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  From 51833ec1f98955d11e1843ec9ff12bf7236a3439 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 16 Nov 2021 14:09:27 -0800 Subject: [PATCH 13/14] Decreased indentation of code block's contents --- .../mdm/oma-dm-protocol-support.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 0237669cbd..893ac1e192 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -113,16 +113,16 @@ Below is an alert example: ```xml - 1 - 1224 - - - com.microsoft/MDM/LoginStatus - chr - - user - - + 1 + 1224 + + + com.microsoft/MDM/LoginStatus + chr + + user + + ``` The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management node’s LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration. From fc8653be3cda76508c4f35ec2f8c0aa30ccf98f8 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 16 Nov 2021 14:11:00 -0800 Subject: [PATCH 14/14] Acrolinx: "AD integrated" as an adjective --- .../implement-server-side-mobile-application-management.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 6313e10ef7..396d3ea018 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -18,11 +18,11 @@ The Windows version of mobile application management (MAM) is a lightweight solu ## Integration with Azure AD -MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  +MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  -MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. +MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. -On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. +On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. Regular non-admin users can enroll to MAM.