From 03e8420ba6622c5653c05e49edd3f37413b14589 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 19 Oct 2021 13:19:21 +0530 Subject: [PATCH 1/3] Add CongigLock node in DMClient CSP Task 5499285: update the DMClient CSP document to add the 3 new nodes used by Config Lock. --- windows/client-management/mdm/dmclient-csp.md | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index b8ddb3ffeb..e2b23b7bf3 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -22,7 +22,7 @@ The following shows the DMClient CSP in tree format. ./Vendor/MSFT DMClient ----Provider --------- +--------ProviderID ------------EntDeviceName ------------ExchangeID ------------EntDMID @@ -45,6 +45,10 @@ DMClient ------------HWDevID ------------ManagementServerAddressList ------------CommercialID +------------ConfigLock +----------------Lock +----------------UnlockDuration +----------------SecureCore ------------Push ----------------PFN ----------------ChannelURI @@ -598,6 +602,27 @@ Optional. Boolean value that allows the IT admin to require the device to start Supported operations are Add, Get, and Replace. +**Provider/*ProviderID*/ConfigLock** + +Configuration Drift is a major concern for commercial customers. Some customers view it as a security risk. This node mitigates the customer concern by bringing the capability to monitor and quickly remediate the policy configuration when a device is MDM managed. + +Default = Locked + +> [!Note] +>If the device is not Secure Core, then this feature will not work. + +**Provider/*ProviderID*/ConfigLock/Lock** + +Supported operations are Add, Delete, Get. Supported values are 0-unlock, 1-lock. + +**Provider/*ProviderID*/ConfigLock/UnlockDuration** + +Supported operations are Add, Delete, Get. Supported values are 1 to 480 (in min). + +**Provider/*ProviderID*/ConfigLock/SecureCore** + +Supported operation is Get only. Supported values are false or true. + **Provider/*ProviderID*/Push** Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported. From 1fda460b2bce9203b34a5785b25b9870807dc006 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 20 Oct 2021 11:21:13 +0530 Subject: [PATCH 2/3] Updates dm-client CSP as per comments --- windows/client-management/mdm/dmclient-csp.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index e2b23b7bf3..61030b9687 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -604,24 +604,30 @@ Supported operations are Add, Get, and Replace. **Provider/*ProviderID*/ConfigLock** -Configuration Drift is a major concern for commercial customers. Some customers view it as a security risk. This node mitigates the customer concern by bringing the capability to monitor and quickly remediate the policy configuration when a device is MDM managed. +Optional. This node enables [Config Lock](/windows/client-management/mdm/config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected. Default = Locked > [!Note] ->If the device is not Secure Core, then this feature will not work. +>If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure). **Provider/*ProviderID*/ConfigLock/Lock** -Supported operations are Add, Delete, Get. Supported values are 0-unlock, 1-lock. +The supported values for this node are 0-unlock, 1-lock. + +Supported operations are Add, Delete, Get. **Provider/*ProviderID*/ConfigLock/UnlockDuration** -Supported operations are Add, Delete, Get. Supported values are 1 to 480 (in min). +The supported values for this node are 1 to 480 (in min). + +Supported operations are Add, Delete, Get. **Provider/*ProviderID*/ConfigLock/SecureCore** -Supported operation is Get only. Supported values are false or true. +The supported values for this node are false or true. + +Supported operation is Get only. **Provider/*ProviderID*/Push** Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported. From bb207e5bf2eb2b689318e88e8f02519d0b8042c8 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 20 Oct 2021 11:27:34 +0530 Subject: [PATCH 3/3] Fixed suggestion! --- windows/client-management/mdm/dmclient-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 61030b9687..9480172d90 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -604,12 +604,12 @@ Supported operations are Add, Get, and Replace. **Provider/*ProviderID*/ConfigLock** -Optional. This node enables [Config Lock](/windows/client-management/mdm/config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected. +Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected. Default = Locked > [!Note] ->If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure). +>If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure). **Provider/*ProviderID*/ConfigLock/Lock**