deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-29 17:23:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

PassportForWork CSP

Browse Source
This commit is contained in:
Vinay Pamnani
2023-02-24 12:51:08 -05:00
parent 02a47591b8
commit 607eab541a
4 changed files with 4044 additions and 1563 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/change-history-for-mdm-documentation.md
View File

@ -308,7 +308,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:<br/><br/>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.| |[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:<br/><br/>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
|[CM_CellularEntries CSP](mdm/cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.| |[CM_CellularEntries CSP](mdm/cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.|
|[EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:<li> 0 (default) Off / No protection (decrypts previously protected data).<li> 1 Silent mode (encrypt and audit only).<li> 2 Allow override mode (encrypt, prompt and allow overrides, and audit).<li> 3 Hides overrides (encrypt, prompt but hide overrides, and audit).| |[EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:<li> 0 (default) Off / No protection (decrypts previously protected data).<li> 1 Silent mode (encrypt and audit only).<li> 2 Allow override mode (encrypt, prompt and allow overrides, and audit).<li> 3 Hides overrides (encrypt, prompt but hide overrides, and audit).|
|[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allow-list-examples).| |[AppLocker CSP](mdm/applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](mdm/applocker-csp.md#allowlist-examples).|
|[DeviceManageability CSP](mdm/devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:<li>Provider/ProviderID/ConfigInfo<li> Provider/ProviderID/EnrollmentInfo| |[DeviceManageability CSP](mdm/devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:<li>Provider/ProviderID/ConfigInfo<li> Provider/ProviderID/EnrollmentInfo|
|[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:<li>Installation/CurrentStatus| |[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:<li>Installation/CurrentStatus|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.| |[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|

2612
windows/client-management/mdm/passportforwork-csp.md
View File

File diff suppressed because it is too large Load Diff

576
windows/client-management/mdm/passportforwork-ddf.md
View File

@ -1,31 +1,29 @@
--- ---
title: PassportForWork DDF title: PassportForWork DDF file
description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. description: View the XML file containing the device description framework (DDF) for the PassportForWork configuration service provider.
ms.reviewer: author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 02/24/2023
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.date: 07/29/2019
--- ---
# PassportForWork DDF <!-- Auto-Generated CSP Document -->
This topic shows the OMA DM device description framework (DDF) for the **PassportForWork** configuration service provider. DDF files are used only with OMA DM provisioning XML. # PassportForWork DDF file
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). The following XML file contains the device description framework (DDF) for the PassportForWork configuration service provider.
The XML below is for Windows 10, version 1903.
```xml ```xml
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM"> <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD> <VerDTD>1.2</VerDTD>
<MSFT:Diagnostics>
</MSFT:Diagnostics>
<Node> <Node>
<NodeName>PassportForWork</NodeName> <NodeName>PassportForWork</NodeName>
<Path>./User/Vendor/MSFT</Path> <Path>./User/Vendor/MSFT</Path>
@ -43,11 +41,17 @@ The XML below is for Windows 10, version 1903.
<Permanent /> <Permanent />
</Scope> </Scope>
<DFType> <DFType>
<MIME>com.microsoft/1.6/MDM/PassportForWork</MIME> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.2</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName></NodeName> <NodeName>
</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Add /> <Add />
@ -66,8 +70,11 @@ The XML below is for Windows 10, version 1903.
</Scope> </Scope>
<DFTitle>TenantId</DFTitle> <DFTitle>TenantId</DFTitle>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
<MSFT:DynamicNodeNaming>
<MSFT:UniqueName>A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell.</MSFT:UniqueName>
</MSFT:DynamicNodeNaming>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>Policies</NodeName> <NodeName>Policies</NodeName>
@ -89,7 +96,7 @@ The XML below is for Windows 10, version 1903.
</Scope> </Scope>
<DFTitle>Policies</DFTitle> <DFTitle>Policies</DFTitle>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
</DFProperties> </DFProperties>
<Node> <Node>
@ -117,8 +124,18 @@ If you disable this policy setting, the device does not provision Windows Hello
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -146,8 +163,18 @@ If you disable or do not configure this policy setting, the TPM is still preferr
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -175,8 +202,22 @@ If you disable or do not configure this policy setting, the PIN recovery secret
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.15063</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -198,7 +239,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
</DFProperties> </DFProperties>
<Node> <Node>
@ -228,8 +269,11 @@ NOTE: If the above specified conditions for the minimum PIN length are not met,
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[4-127]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -259,8 +303,11 @@ NOTE: If the above specified conditions for the maximum PIN length are not met,
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[4-127]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -290,8 +337,22 @@ If you do not configure this policy setting, Windows Hello for Business does not
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allows the use of uppercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires the use of at least one uppercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Does not allow the use of uppercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -321,8 +382,22 @@ If you do not configure this policy setting, Windows Hello for Business does not
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allows the use of lowercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires the use of at least one lowercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Does not allow the use of lowercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -352,8 +427,22 @@ If you do not configure this policy setting, Windows Hello for Business does not
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allows the use of special characters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires the use of at least one special characters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Does not allow the use of special characters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -383,8 +472,22 @@ If you do not configure this policy setting, Windows Hello for Business requires
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allows the use of digits in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires the use of at least one digits in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Does not allow the use of digits in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -408,8 +511,11 @@ If you do not configure this policy setting, Windows Hello for Business requires
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-50]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -433,8 +539,11 @@ If you do not configure this policy setting, Windows Hello for Business requires
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-730]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
@ -458,11 +567,17 @@ If you do not configure this policy setting, Windows Hello for Business requires
<Permanent /> <Permanent />
</Scope> </Scope>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.2</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName></NodeName> <NodeName>
</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Add /> <Add />
@ -481,8 +596,11 @@ If you do not configure this policy setting, Windows Hello for Business requires
</Scope> </Scope>
<DFTitle>TenantId</DFTitle> <DFTitle>TenantId</DFTitle>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
<MSFT:DynamicNodeNaming>
<MSFT:UniqueName>A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet Get-AzureAccount. For more information see https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell.</MSFT:UniqueName>
</MSFT:DynamicNodeNaming>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>Policies</NodeName> <NodeName>Policies</NodeName>
@ -504,7 +622,7 @@ If you do not configure this policy setting, Windows Hello for Business requires
</Scope> </Scope>
<DFTitle>Policies</DFTitle> <DFTitle>Policies</DFTitle>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
</DFProperties> </DFProperties>
<Node> <Node>
@ -532,8 +650,18 @@ If you disable this policy setting, the device does not provision Windows Hello
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -561,8 +689,18 @@ If you disable or do not configure this policy setting, the TPM is still preferr
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -585,8 +723,12 @@ If you disable or do not configure this policy setting, the TPM is still preferr
</Scope> </Scope>
<DFTitle>ExcludeSecurityDevices</DFTitle> <DFTitle>ExcludeSecurityDevices</DFTitle>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.15063</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>TPM12</NodeName> <NodeName>TPM12</NodeName>
@ -613,8 +755,18 @@ If you disable or do not configure this policy setting, TPM revision 1.2 modules
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
@ -644,8 +796,22 @@ If you disable or do not configure this policy setting, the PIN recovery secret
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.15063</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -673,8 +839,61 @@ If you disable or do not configure this policy setting, the PIN will be provisio
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>UseCloudTrustForOnPremAuth</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621, 10.0.22000.527, 10.0.19044.1566</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.6</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -696,7 +915,7 @@ If you disable or do not configure this policy setting, the PIN will be provisio
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
</DFProperties> </DFProperties>
<Node> <Node>
@ -726,8 +945,11 @@ NOTE: If the above specified conditions for the minimum PIN length are not met,
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[4-127]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -757,8 +979,11 @@ NOTE: If the above specified conditions for the maximum PIN length are not met,
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[4-127]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -788,8 +1013,22 @@ If you do not configure this policy setting, Windows Hello for Business does not
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allows the use of uppercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires the use of at least one uppercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Does not allow the use of uppercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -819,8 +1058,22 @@ If you do not configure this policy setting, Windows Hello for Business does not
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allows the use of lowercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires the use of at least one lowercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Does not allow the use of lowercase letters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -850,8 +1103,22 @@ If you do not configure this policy setting, Windows Hello for Business does not
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allows the use of special characters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires the use of at least one special characters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Does not allow the use of special characters in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -881,8 +1148,22 @@ If you do not configure this policy setting, Windows Hello for Business requires
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Allows the use of digits in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Requires the use of at least one digits in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Does not allow the use of digits in PIN.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -906,8 +1187,11 @@ If you do not configure this policy setting, Windows Hello for Business requires
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-50]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -931,8 +1215,11 @@ If you do not configure this policy setting, Windows Hello for Business requires
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-730]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
@ -955,7 +1242,7 @@ If you do not configure this policy setting, Windows Hello for Business requires
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
</DFProperties> </DFProperties>
<Node> <Node>
@ -981,8 +1268,18 @@ Default value is false. If you enable this setting, a desktop device will allow
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
@ -990,9 +1287,9 @@ Default value is false. If you enable this setting, a desktop device will allow
<NodeName>UseHelloCertificatesAsSmartCardCertificates</NodeName> <NodeName>UseHelloCertificatesAsSmartCardCertificates</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get />
<Add /> <Add />
<Delete /> <Delete />
<Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>False</DefaultValue> <DefaultValue>False</DefaultValue>
@ -1011,8 +1308,22 @@ Windows requires a user to lock and unlock their session after changing this set
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.6</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
@ -1046,8 +1357,19 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:Deprecated />
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -1067,7 +1389,7 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
<Permanent /> <Permanent />
</Scope> </Scope>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
</DFProperties> </DFProperties>
<Node> <Node>
@ -1097,8 +1419,18 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
@ -1128,12 +1460,62 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:SupportedValues AllowedValues="true,false"> <MSFT:AllowedValues ValueType="ENUM">
<MSFT:SupportedValue value="true" description="Windows will require all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing."/> <MSFT:Enum>
<MSFT:SupportedValue value="false" description="Enhanced anti-spoofing is not required for Windows Hello face authentication."/> <MSFT:Value>false</MSFT:Value>
</MSFT:SupportedValues> <MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>EnableESSwithSupportedPeripherals</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Enhanced Sign-in Security (ESS) isolates both biometric template data and matching operations to trusted hardware or specified memory regions, meaning the rest of the operating system cannot access or tamper with them. Because the channel of communication between the sensors and the algorithm is also secured, it is impossible for malware to inject or replay data in order to simulate a user signing in or to lock a user out of their machine.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<CaseSense>
<CIS />
</CaseSense>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.22621</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Enhanced sign-in security will be disabled on all systems. If a user already has a secure Windows Hello enrollment, they will lose their enrollment and must reset PIN, and they will have the option to re-enroll in normal face and fingerprint. Peripheral usage will be enabled by disabling Enhanced sign-in security. OS will not attempt to start secure components, even if the secure hardware and software components are present. (not recommended)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. For systems with one secure modality (face or fingerprint) and one insecure modality (fingerprint or face), only the secure sensor can be used for sign-in and the insecure sensor(s) will be blocked. This includes peripheral devices, which are unsupported and will be unusable. (default and recommended for highest security)</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:GpMapping GpEnglishName="Enable ESS with Supported Peripherals" GpAreaPath="Passport~AT~WindowsComponents~MSPassportForWorkCategory" />
<MSFT:ConflictResolution>LastWrite</MSFT:ConflictResolution>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
@ -1154,16 +1536,20 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Permanent /> <Permanent />
</Scope> </Scope>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17134</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>GroupA</NodeName> <NodeName>GroupA</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get />
<Add /> <Add />
<Delete /> <Delete />
<Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Contains a list of providers by GUID that are to be considered for the first step of authentication</Description> <Description>Contains a list of providers by GUID that are to be considered for the first step of authentication</Description>
@ -1177,17 +1563,20 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
<NodeName>GroupB</NodeName> <NodeName>GroupB</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get />
<Add /> <Add />
<Delete /> <Delete />
<Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>Contains a list of providers by GUID that are to be considered for the second step of authentication</Description> <Description>Contains a list of providers by GUID that are to be considered for the second step of authentication</Description>
@ -1201,17 +1590,20 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
<NodeName>Plugins</NodeName> <NodeName>Plugins</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get />
<Add /> <Add />
<Delete /> <Delete />
<Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>List of plugins that the passive provider monitors to detect user presence</Description> <Description>List of plugins that the passive provider monitors to detect user presence</Description>
@ -1225,7 +1617,7 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
</DFProperties> </DFProperties>
</Node> </Node>
@ -1247,16 +1639,20 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Permanent /> <Permanent />
</Scope> </Scope>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.17134</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>DynamicLock</NodeName> <NodeName>DynamicLock</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get />
<Add /> <Add />
<Delete /> <Delete />
<Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>False</DefaultValue> <DefaultValue>False</DefaultValue>
@ -1271,17 +1667,27 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
<Node> <Node>
<NodeName>Plugins</NodeName> <NodeName>Plugins</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get />
<Add /> <Add />
<Delete /> <Delete />
<Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<Description>List of plugins that the passive provider monitors to detect user absence</Description> <Description>List of plugins that the passive provider monitors to detect user absence</Description>
@ -1295,7 +1701,7 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
</DFProperties> </DFProperties>
</Node> </Node>
@ -1317,16 +1723,20 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Permanent /> <Permanent />
</Scope> </Scope>
<DFType> <DFType>
<DDFName></DDFName> <DDFName />
</DFType> </DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.6</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties> </DFProperties>
<Node> <Node>
<NodeName>UseSecurityKeyForSignin</NodeName> <NodeName>UseSecurityKeyForSignin</NodeName>
<DFProperties> <DFProperties>
<AccessType> <AccessType>
<Get />
<Add /> <Add />
<Delete /> <Delete />
<Get />
<Replace /> <Replace />
</AccessType> </AccessType>
<DefaultValue>0</DefaultValue> <DefaultValue>0</DefaultValue>
@ -1341,11 +1751,25 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Dynamic /> <Dynamic />
</Scope> </Scope>
<DFType> <DFType>
<MIME>text/plain</MIME> <MIME />
</DFType> </DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties> </DFProperties>
</Node> </Node>
</Node> </Node>
</Node> </Node>
</MgmtTree> </MgmtTree>
``` ```
## Related articles
[PassportForWork configuration service provider reference](passportforwork-csp.md)

21
windows/client-management/mdm/supl-csp.md
View File

@ -17,17 +17,6 @@ ms.topic: reference
# SUPL CSP # SUPL CSP
<!-- SUPL-Editable-Begin --> <!-- SUPL-Editable-Begin -->
The SUPL configuration service provider is used to configure the location client, as shown in the following:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The SUPL configuration service provider is used to configure the location client, as shown in the following table: The SUPL configuration service provider is used to configure the location client, as shown in the following table:
- **Location Service**: Connection type - **Location Service**: Connection type
@ -1664,20 +1653,14 @@ Optional. Integer. Defines the minimum interval of time in seconds between mobil
<!-- SUPL-CspMoreInfo-Begin --> <!-- SUPL-CspMoreInfo-Begin -->
## Unsupported Nodes ## Unsupported Nodes
The following optional nodes aren't supported on Windows devices. The following optional nodes aren't supported on Windows devices.
- ProviderID - ProviderID
- Name - Name
- PrefConRef - PrefConRef
- ToConRef - ToConRef
- ToConRef/&lt;X&gt; - ToConRef/&lt;X&gt;
- ToConRef/&lt;X&gt;/ConRef - ToConRef/&lt;X&gt;/ConRef
- AddrType - AddrType
If the configuration application tries to set, delete or query these nodes, a response indicating this node isn't implemented will be returned over OMA DM. In OMA Client Provisioning, the request to set this node will be ignored and the configuration service provider will continue processing the rest of the nodes. If the configuration application tries to set, delete or query these nodes, a response indicating this node isn't implemented will be returned over OMA DM. In OMA Client Provisioning, the request to set this node will be ignored and the configuration service provider will continue processing the rest of the nodes.
@ -1820,7 +1803,7 @@ The following table shows the Microsoft custom elements that this configuration
|Elements|Available| |Elements|Available|
|--- |--- | |--- |--- |
|parm-query|Yes| |parm-query|Yes|
|characteristic-query|Yes <br/><br/>Recursive query: No<br/><br/>Top level query: No |characteristic-query|Yes <br/><br/>Recursive query: No<br/><br/>Top level query: No|
<!-- SUPL-CspMoreInfo-End --> <!-- SUPL-CspMoreInfo-End -->
<!-- SUPL-End --> <!-- SUPL-End -->