From c8e9797ed158d525387eb685c37214a797db12e5 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 7 Jun 2017 14:03:27 -0700 Subject: [PATCH 1/2] TFS 12104319, added TPMPolicy CSP and DDF topics for RS2 --- windows/client-management/mdm/TOC.md | 2 + ...onfiguration-service-provider-reference.md | 14 ++-- .../mdm/images/provisioning-csp-tpmpolicy.png | Bin 0 -> 3285 bytes ...ew-in-windows-mdm-enrollment-management.md | 12 ++- .../client-management/mdm/tpmpolicy-csp.md | 46 ++++++++++++ .../mdm/tpmpolicy-ddf-file.md | 71 ++++++++++++++++++ 6 files changed, 139 insertions(+), 6 deletions(-) create mode 100644 windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png create mode 100644 windows/client-management/mdm/tpmpolicy-csp.md create mode 100644 windows/client-management/mdm/tpmpolicy-ddf-file.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index ead7fdaf03..45051db6b8 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -198,6 +198,8 @@ #### [SUPL DDF file](supl-ddf-file.md) ### [SurfaceHub CSP](surfacehub-csp.md) #### [SurfaceHub DDF file](surfacehub-ddf-file.md) +### [TPMPolicy CSP](tpmpolicy-csp.md) +#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md) ### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) #### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md) ### [Update CSP](update-csp.md) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 7c7746d87a..e6f6ca4648 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -11,6 +11,9 @@ author: nickbrower # Configuration service provider reference +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). @@ -1164,10 +1167,10 @@ The following tables show the configuration service providers support in Windows cross mark - check mark - check mark - check mark - check mark + check mark3 + check mark3 + check mark3 + check mark3 cross mark cross mark @@ -2358,7 +2361,8 @@ The following tables show the configuration service providers support in Windows  Footnotes: - 1 - Added in Windows 10, version 1607 -- 2 - Added in Windows 10, version 1703 +- 2 - Added in Windows 10, version 1703 +- 3 - Added in the next major update to Windows 10 > [!Note] > You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). diff --git a/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png b/windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png new file mode 100644 index 0000000000000000000000000000000000000000..8950a1614d9e9dbf1fb6d20ea004f9624f4d9b7a GIT binary patch literal 3285 zcmbVPX*e5Nw+@P9o?3#SrXFf)R5eZO5JOFE%|q2OoK$IzF&Cl6R;8h82->J2#8AZ4 z5(H5(MNzXN$5g6R6fwJczI&g0f8Ou=vG-nUKWpvb+527ZT8ZX&40$-kH~|0vkFk-y zB>=!AeJTh3#(dfvmgBY8wLOnlDQ6DSxea)Vb-BeYj4(kg}Nmu2eaF($ml?|bynXLe3&j0(!mub2wmYX_B>~k zUK)-tFZIlEsvNYCM4Kz{#>;i^iL>XMpHE?fh!F?)W1gic)PaWfsD11Gee0+(r>O}y zk`yw?A=#Zm{>Gq}BkAjmU?xE988p)+d+7C1pZBv*m}_ckWKEg2;zkHmDwSfE>A7t( zQg+Ll^0K{X$)>sCTgWG@kFRg<9AKJ%-o9)kY-4%G+Iud^GZ#eKJ$@N5YsiUBCTaOK zZmpoMHXPpP=yiCHK@%3s9CMGUBe~*+qA)aema(`k@Z%0EmxG-L`dxF_wYy5lK)TjE zO~xoiD3iCpZ#wQlH;2U3nJSHzR{XH?=qJWTWtbP2}9n&;)&rV-YfDYJRC(ZaU$4C?5<;8aL}<3{L@{oPcgrXFRsJH z;5eRU137(a6Sn`kA!t+!e?*2c}$;+$IH3If{4wR4ki})P~^<4D#mV=Q%Qf?XSwF@ z_~IzdbHC}m;F9d_o=UIgH5;)tNlJhd^ynXZgu+Y0^dF1^E#3*eD36`#Dn5(olun&5 zY3})Im#n6ueK!4!R|>o?OrAKakji1Q?df}BU38o%^S)gThRcpu=}CM&sd~W0az!OJ z&qHJ{ZIGJ$hu*^&s9Dq$f3h0ZOUL_TZzi17=)bUj^w`3E;U6y0PQ4e;8*8tNnCT-MxS>0} zz1rB5uin2FyJnlqxPz8b=XKT;v>JusszD~(_IV1&@BFL4 zcr&NNdmtIN0q_nOi^Pchb1|<5_oNoYuDU?Ym&Xf&9nbIGebyJG-1TIP(8YaDDD>p! zc-uEj_3~mbLHl@qjQYUJTCfU+epgX}%{`7q?CvO7d&8uwOF8XIFEz>3{b+N8J90RH z=9#x8;EtM)wxOOelW0J_**4Q41 zqAyW%9Gctz7{q=E9DsBfxsty(2ClB|H@&Z`ljmZUlkEhI*dTSa$31hEe3AbnXv!|G_s=`p1{v*`Sr1aSXQFpsx+VxA1Hu{q7z2L za6#CHSSXII;1o&75;Hn_s}(Hb$6ff}E)pQ}tRS-)=S;_Gd2E%W-LTfM+LS5hW)gx50s`% z+-G#n6f6H~@@R<(Ka`IK^=>vl61vG~^UCvfW}B#(8SR=4h7_URzG3e~m3!yB>9$-; zFdmlne^vbD45RcmbBJ;;!_iE*u7xbzFdQe=6-?SUK)iB@m<3YuW$_`G3NT8A9+^{! zs|uf+p8rV6pSan_*_11;MDPG~=b#ng`{UZST5V$^V?erQ@o8jHNP%T-#k7kcp1Iafs4HyaFuRj=&wNm=H%oo?g!40 zdJNfK7JOwOA0s=6R?#khxKynar*legM zTBMaV_R#&PHS0k8U_URy(WuG~S6Bl#U>lob`}ffG9{}?I?Sc&aJ~;nTOaVCK_-@*V z3>G<^koX{dX~?@ni~sLa*e4WnfL6IddP8T>L2PL0hs+cx3nfJ(8vZ64KEXSU4s5$D zcKIx1Gz$gMoE%3^0l{L_UpWIuV^*H}TBKT}w&#w&!^MJ^K3a0>)o^=AMwI^oaJ6Q@ zB|Atp5LqiJ@%eKm?0#c|_>qf*>DK5HH)!>i4=4v1ekWMIv|$SekE^_KbhpEvW>4tK zhtIt>@2E5=HJy3!ZD$_&n*1d7DmzzNaZp z$}9MMoT0_1?frxuUQ@c97wm0_i$cNahBng#N-Lq?>$s8%S~cyT{VE#%Ybg&O)P8=p*F9sX&VbU7@I$@^%p ztJ5MLt~akX6J=(01!Yk3^b6j0f9o-dGloRzwbY#1Rm?9`zTzIDtW2p=?G{CDn5Taj zs@>sJ$={m89A;ju^a$z0++?TN_Z9RoQ~Yn9kbb@ubY;yOQ#Gwh#h5-vk-2H*G~X{z389fDpvu`&x#I_B;%#Uzeha4r z@lM+JzklBR2-&M`YP76$RX*aObTsDmsbEq+68!9Om#=g}3aBqgDcWy0lNZ-4C><6& zprkBgk!ZLcPWyDny|3C$sI+_z@~0C0?Pn%)9F25AZihaB4pR^K=Dsk|+~YoCvdHkB zQ`(N-g~nGsU(zhmC{U9ljb#nkl-L0&;%T2vXs5@Dyh9BkXh*V!HoSN#yd*Ov!9own$|RXCKgHpCrHVKHf|mbXXOToU-T<~a(bM_wu11@{P4Gz vX#39r+$<2bR+nfvfLr)~gw*Nj6P8c*g36NRjCZG{2*B9jj(&x%OU!=(i3@2f literal 0 HcmV?d00001 diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 9992411f6a..96d9601963 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -14,6 +14,8 @@ author: nickbrower # What's new in MDM enrollment and management +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. @@ -892,6 +894,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • [Policy CSP](policy-configuration-service-provider.md)
    • + +[TPMPolicy CSP](tpmpolicy-csp.md) +New CSP added in Windows 10, version 1703. +   @@ -1180,7 +1186,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) Added a list of registry locations that ingested policies are allowed to write to. - + [Firewall CSP](firewall-csp.md) Added the following nodes:
      @@ -1191,6 +1197,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • Status
    Also Added [Firewall DDF file](firewall-ddf-file.md). + +[TPMPolicy CSP](tpmpolicy-csp.md) +New CSP added in Windows 10, version 1703. + diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md new file mode 100644 index 0000000000..222b6a7627 --- /dev/null +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -0,0 +1,46 @@ +--- +title: TPMPolicy CSP +description: TPMPolicy CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# TPMPolicy CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The TPMPolicy configuration service provider (CSP) . The TPMPolicy CSP was added in Windows 10, version 1703. + +The following diagram shows the TPMPolicy configuration service provider in tree format. + +![tpmpolicy csp](images/provisioning-csp-tpmpolicy.png) + +**./Device/Vendor/MSFT/TPMPolicy** +

    Defines the root node.

    + +**IsActiveZeroExhaust** +

    Boolean value

    + +Here is an example: + +``` syntax +                +                    101 +                    +                        +                            +                                ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust +                            +                        +                         + bool +               text/plain +        +        true +                     +                 +``` \ No newline at end of file diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md new file mode 100644 index 0000000000..35a90ff87b --- /dev/null +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -0,0 +1,71 @@ +--- +title: TPMPolicy DDF file +description: TPMPolicy DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# TPMPolicy DDF file + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703. + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + TPMPolicy + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/TPMPolicy + + + + IsActiveZeroExhaust + + + + + + False + + + + + + + + + + + text/plain + + + + + +``` \ No newline at end of file From e9002a782461bfa047ced3b2228137ddf380cbbe Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Thu, 8 Jun 2017 10:50:38 -0700 Subject: [PATCH 2/2] TPMPolicy CSP, incorporated feedback from Shantanu --- ...onfiguration-service-provider-reference.md | 28 +++++++++++++++++++ .../client-management/mdm/tpmpolicy-csp.md | 13 +++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index e6f6ca4648..a6d30377d2 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2047,6 +2047,34 @@ The following tables show the configuration service providers support in Windows + +[TPMPolicy CSP](tpmpolicy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcheck markcheck mark
    + + + + [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 222b6a7627..239e679672 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -13,7 +13,9 @@ author: nickbrower > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The TPMPolicy configuration service provider (CSP) . The TPMPolicy CSP was added in Windows 10, version 1703. +The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. + +The TPMPolicy CSP was added in Windows 10, version 1703. The following diagram shows the TPMPolicy configuration service provider in tree format. @@ -23,7 +25,14 @@ The following diagram shows the TPMPolicy configuration service provider in tree

    Defines the root node.

    **IsActiveZeroExhaust** -

    Boolean value

    +

    Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:

    + +
      +
    • There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected.
      • +
    • There should be no traffic during installation of Windows and first logon when local ID is used.
      • +
    • Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.
      • +
    • Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.
      • +
    Here is an example: