deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

CSP Documentation improvement-Part1

Browse Source 
Task: 5864419 - Updated the documents in this PR following these parameters: Acrolinx scores, grammar, tips and note misplacements, inconsistent usage of html tags, repetitions, etc.
This commit is contained in:
Alekhya Jupudi 2022-03-11 11:23:33 +05:30
parent ac3b699d21
commit 75c2ba00e3
10 changed files with 338 additions and 412 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -40,13 +40,14 @@ AssignedAccess
----ShellLauncher (Added in Windows 10, version 1803)
----StatusConfiguration (Added in Windows 10, version 1803)
```
<a href="" id="--vendor-msft-assignedaccess"></a>**./Device/Vendor/MSFT/AssignedAccess**
Root node for the CSP.
<a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app).
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
@ -67,7 +68,7 @@ Here's an example:
> [!Tip]
> In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\.
>
> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string. 
> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string.
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
@ -76,7 +77,6 @@ When configuring the kiosk mode app, the account name will be used to find the t
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
<a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**
@ -91,17 +91,17 @@ Enterprises can use this to easily configure and manage the curated lockdown exp
Supported operations are Add, Get, Delete, and Replace.
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (for example, Start Layout).
<a href="" id="assignedaccess-status"></a>**./Device/Vendor/MSFT/AssignedAccess/Status**
Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload.
In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode.
In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible statuses available for single app kiosk mode.
|Status |Description |
|---------|---------|---------|
| KioskModeAppRunning | This means the kiosk app is running normally. |
| KioskModeAppNotFound | This occurs when the kiosk app is not deployed to the machine. |
| KioskModeAppNotFound | This occurs when the kiosk app isn't deployed to the machine. |
| KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
> [!NOTE]
@ -154,9 +154,9 @@ Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration
<a href="" id="assignedaccess-statusconfiguration"></a>**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
By default the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
Optionally, the MDM server can opt in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
This MDM alert header is defined as follows:
@ -431,7 +431,8 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
</xs:schema>
```
Here is the schema for new features introduced in Windows 10 1809 release
Here's the schema for new features introduced in Windows 10 1809 release
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
@ -506,7 +507,8 @@ Schema for Windows 10 prerelease
</xs:schema>
```
To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. for example, to configure auto-launch feature, which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
@ -894,8 +896,8 @@ StatusConfiguration Add OnWithAlerts
</SyncML>
```
StatusConfiguration Delete
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
@ -962,6 +964,7 @@ StatusConfiguration Replace On
## Status example
Status Get
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>

425
windows/client-management/mdm/bitlocker-csp.md
View File

@ -14,17 +14,16 @@ ms.collection: highpri
---
# BitLocker CSP
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
> [!NOTE]
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
>
> You must send all the settings together in a single SyncML to be effective.
A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns
the setting configured by the admin.
A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
The following shows the BitLocker configuration service provider in tree format.
@ -60,6 +59,9 @@ BitLocker
--------RotateRecoveryPasswordsRequestID
```
> [!TIP]
> These are ADMX-backed policies and for a step-by-step guide to enable them, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
<!--Policy-->
@ -84,7 +86,7 @@ Supported operations are Add, Get, Replace, and Delete.
Status of OS volumes and encryptable fixed data volumes are checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet additional criteria to be considered encryptable:
Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet more criteria to be considered encryptable:
- It must not be a dynamic volume.
- It must not be a recovery partition.
@ -95,7 +97,7 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) —Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
- 0 (default) — Disable. If the policy setting isn't set or is set to 0, the device's enforcement status is not checked. The policy doesn't enforce encryption and it does not decrypt encrypted volumes.
- 1 Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
<!--/SupportedValues-->
If you want to disable this policy, use the following SyncML:
@ -141,22 +143,19 @@ Allows you to set the default encryption method for each of the different drive
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
<li>GP name: <em>EncryptionMethodWithXts_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
- GP name: EncryptionMethodWithXts_Name
- GP path: Windows Components/BitLocker Drive Encryption
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.
If you enable this setting you'll be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511.
If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
If you disable or don't configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
Sample value for this node to enable this policy and set the encryption methods is:
@ -215,16 +214,13 @@ Allows you to associate unique organizational identifiers to a new drive that is
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Provide the unique identifiers for your organization </em></li>
<li>GP name: <em>IdentificationField_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Provide the unique identifiers for your organization
- GP name: IdentificationField_Name
- GP path: Windows Components/BitLocker Drive Encryption
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting is used to establish an identifier that is applied to all drives that are encrypted in your organization.
@ -232,7 +228,7 @@ Identifiers are usually stored as the identification field and the allowed ident
- **BitLocker identification field**: It allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations.
- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations.
>[!Note]
>When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
@ -250,7 +246,7 @@ Data Id:
- IdentificationField: BitLocker identification field
- SecIdentificationField: Allowed BitLocker identification field
If you disable or do not configure this setting, the identification field is not required.
If you disable or don't configure this setting, the identification field isn't required.
>[!Note]
>Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters.
@ -275,16 +271,13 @@ Allows users on devices that are compliant with InstantGo or the Microsoft Hardw
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN</em></li>
<li>GP name: <em>EnablePreBootPinExceptionOnDECapableDevice_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN
- GP name: EnablePreBootPinExceptionOnDECapableDevice_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware.
@ -317,23 +310,20 @@ Allows users to configure whether or not enhanced startup PINs are used with Bit
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Allow enhanced PINs for startup</em></li>
<li>GP name: <em>EnhancedPIN_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Allow enhanced PINs for startup
- GP name: EnhancedPIN_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. Enhanced startup PINs permit the usage of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
>[!Note]
>Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.
If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.
Sample value for this node to enable this policy is:
@ -341,7 +331,7 @@ Sample value for this node to enable this policy is:
<enabled/>
```
If you disable or do not configure this policy setting, enhanced PINs will not be used.
If you disable or don't configure this policy setting, enhanced PINs won't be used.
<!--/Policy-->
<!--Policy-->
@ -362,25 +352,22 @@ Allows you to configure whether standard users are allowed to change BitLocker P
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Disallow standard users from changing the PIN or password</em></li>
<li>GP name: <em>DisallowStandardUsersCanChangePIN_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Disallow standard users from changing the PIN or password
- GP name: DisallowStandardUsersCanChangePIN_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This policy setting allows you to configure whether or not standard users are allowed to change the PIN or password, that is used to protect the operating system drive.
>[!Note]
>To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker.
If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
If you enable this policy setting, standard users won't be allowed to change BitLocker PINs or passwords.
If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords.
If you disable or don't configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords.
Sample value for this node to disable this policy is:
@ -407,20 +394,17 @@ Allows users to enable authentication options that require user input from the p
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Enable use of BitLocker authentication requiring preboot keyboard input on slates</em></li>
<li>GP name: <em>EnablePrebootInputProtectorsOnSlates_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
- GP Friendly name: Enable use of BitLocker authentication requiring preboot keyboard input on slates
- GP name: EnablePrebootInputProtectorsOnSlates_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
Sample value for this node to enable this policy is:
@ -429,7 +413,7 @@ Sample value for this node to enable this policy is:
```
If this policy is disabled, the Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.
When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
When the Windows Recovery Environment is not enabled and this policy is not enabled, you cant turn on BitLocker on a device that uses the Windows touch keyboard.
>[!Note]
>If you do not enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available:
@ -458,16 +442,13 @@ Allows you to configure the encryption type that is used by BitLocker.
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Enforce drive encryption type on operating system drives</em></li>
<li>GP name: <em>OSEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Enforce drive encryption type on operating system drives
- GP name: OSEncryptionType_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
@ -506,23 +487,20 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Require additional authentication at startup</em></li>
<li>GP name: <em>ConfigureAdvancedStartup_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
- GP Friendly name: Require additional authentication at startup
- GP name: ConfigureAdvancedStartup_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
> [!NOTE]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
@ -531,43 +509,42 @@ On a computer with a compatible TPM, four types of authentication methods can be
If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.
If you disable or don't configure this setting, users can configure only basic options on computers with a TPM.
> [!NOTE]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
> [!NOTE]
> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern
> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
Sample value for this node to enable this policy is:
```xml
<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
```
Data id:
<ul>
<li>ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).</li>
<li>ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.</li>
<li>ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.</li>
<li>ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.</li>
<li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
</ul>
- ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).</li>
- ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.</li>
- ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.</li>
- ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.</li>
- ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
<!--SupportedValues-->
The possible values for 'xx' are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
- true = Explicitly allow</li>
- false = Policy not set</li>
The possible values for 'yy' are:
<ul>
<li>2 = Optional</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
- 2 = Optional</li>
- 1 = Required</li>
- 0 = Disallowed</li>
<!--/SupportedValues-->
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
```xml
<Replace>
@ -583,8 +560,10 @@ Disabling the policy will let the system choose the default behaviors. If you wa
</Item>
</Replace>
```
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<!--Description-->
@ -603,16 +582,13 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure minimu
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name:<em>Configure minimum PIN length for startup</em></li>
<li>GP name: <em>MinimumPINLength_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Configure minimum PIN length for startup
- GP name: MinimumPINLength_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
@ -623,7 +599,7 @@ This setting allows you to configure a minimum length for a Trusted Platform Mod
If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.
If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
If you disable or don't configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
Sample value for this node to enable this policy is:
@ -650,6 +626,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<!--Description-->
@ -669,21 +646,17 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Configure pre-boot recovery message and URL</em></li>
<li>GP name: <em>PrebootRecoveryInfo_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Configure pre-boot recovery message and URL
- GP name: PrebootRecoveryInfo_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked.
If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you've previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
@ -747,24 +720,21 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
<li>GP name: <em>OSRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Choose how BitLocker-protected operating system drives can be recovered
- GP name: OSRecoveryUsage_Name
- GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
@ -775,7 +745,7 @@ Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until rec
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
Sample value for this node to enable this policy is:
@ -784,15 +754,18 @@ Sample value for this node to enable this policy is:
```
<!--SupportedValues-->
The possible values for 'xx' are:
- true = Explicitly allow
- false = Policy not set
The possible values for 'yy' are:
- 2 = Allowed
- 1 = Required
- 0 = Disallowed
The possible values for 'zz' are:
- 2 = Store recovery passwords only
- 1 = Store recovery passwords and key packages
<!--/SupportedValues-->
@ -833,24 +806,21 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
<li>GP name: <em>FDVRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Choose how BitLocker-protected fixed drives can be recovered
- GP name: FDVRecoveryUsage_Name
- GP path: Windows Components/BitLocker Drive Encryption/Fixed Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
@ -863,7 +833,7 @@ Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
If this setting isn't configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
Sample value for this node to enable this policy is:
@ -872,26 +842,23 @@ Sample value for this node to enable this policy is:
```
<!--SupportedValues-->
The possible values for 'xx' are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
- true = Explicitly allow</li>
- false = Policy not set</li>
The possible values for 'yy' are:
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
- 2 = Allowed</li>
- 1 = Required</li>
- 0 = Disallowed</li>
The possible values for 'zz' are:
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
</ul>
- 2 = Store recovery passwords only</li>
- 1 = Store recovery passwords and key packages</li>
<!--/SupportedValues-->
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
```xml
<Replace>
@ -928,20 +895,17 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
<li>GP name: <em>FDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Deny write access to fixed drives not protected by BitLocker
- GP name: FDVDenyWriteAccess_Name
- GP path: Windows Components/BitLocker Drive Encryption/Fixed Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If you enable this setting, all fixed data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
Sample value for this node to enable this policy is:
@ -949,7 +913,7 @@ Sample value for this node to enable this policy is:
<enabled/>
```
If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:
If you disable or don't configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:
```xml
<Replace>
@ -986,16 +950,13 @@ Allows you to configure the encryption type on fixed data drives that is used by
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Enforce drive encryption type on fixed data drives</em></li>
<li>GP name: <em>FDVEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Enforce drive encryption type on fixed data drives
- GP name: FDVEncryptionType_Name
- GP path: Windows Components/BitLocker Drive Encryption/Fixed Data Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This policy setting is applied when you turn on BitLocker and controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
@ -1036,22 +997,19 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
<li>GP name: <em>RDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removeable Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Deny write access to removable drives not protected by BitLocker
- GP name: RDVDenyWriteAccess_Name
- GP path: Windows Components/BitLocker Drive Encryption/Removeable Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
@ -1065,10 +1023,10 @@ Sample value for this node to enable this policy is:
```
<!--SupportedValues-->
The possible values for 'xx' are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
- true = Explicitly allow</li>
- false = Policy not set</li>
<!--/SupportedValues-->
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
@ -1105,22 +1063,19 @@ Allows you to configure the encryption type that is used by BitLocker.
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Enforce drive encryption type on removable data drives</em></li>
<li>GP name: <em>RDVEncryptionType_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Enforce drive encryption type on removable data drives
- GP name: RDVEncryptionType_Name
- GP path: Windows Components/BitLocker Drive Encryption/Removable Data Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This policy controls whether removed data drives utilize Full encryption or Used Space Only encryption, and is applied when you turn on BitLocker. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.
If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.
Sample value for this node to enable this policy is:
@ -1149,16 +1104,13 @@ Allows you to control the use of BitLocker on removable data drives.
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
<ul>
<li>GP Friendly name: <em>Control use of BitLocker on removable drives</em></li>
<li>GP name: <em>RDVConfigureBDE_Name</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removable Data Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
> [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
- GP Friendly name: Control use of BitLocker on removable drives
- GP name: RDVConfigureBDE_Name
- GP path: Windows Components/BitLocker Drive Encryption/Removable Data Drives
- GP ADMX file name: VolumeEncryption.admx
<!--/ADMXMapped-->
This policy setting is used to prevent users from turning BitLocker on or off on removable data drives, and is applied when you turn on BitLocker.
@ -1166,7 +1118,7 @@ For information about suspending BitLocker protection, see [BitLocker Basic Depl
The options for choosing property settings that control how users can configure BitLocker are:
- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on a removable data drives.
- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on removable data drives.
- **Allow users to suspend and decrypt BitLocker on removable data drives**: Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
If you enable this policy setting, you can select property settings that control how users can configure BitLocker.
@ -1176,13 +1128,15 @@ Sample value for this node to enable this policy is:
```xml
<enabled/><data id="RDVAllowBDE_Name" value="true"/><data id="RDVDisableBDE_Name" value="true"/>
```
Data id:
- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives
- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives
If this policy is disabled,users cannot use BitLocker on removable disk drives.
If this policy is disabled, users cant use BitLocker on removable disk drives.
If you do not configure this policy setting, users can use BitLocker on removable disk drives.
If you don't configure this policy setting, users can use BitLocker on removable disk drives.
<!--/Policy-->
<!--Policy-->
@ -1230,6 +1184,7 @@ The following list shows the supported values:
>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
>
>The endpoint for a fixed data drive's backup is chosen in the following order:
>
>1. The user's Windows Server Active Directory Domain Services account.
>2. The user's Azure Active Directory account.
>3. The user's personal OneDrive (MDM/MAM only).
@ -1247,7 +1202,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged on user in the system.
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
@ -1263,9 +1218,9 @@ If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDe
The expected values for this policy are:
- 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
- 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.
- 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive.
<!--/SupportedValues-->
If you want to disable this policy use the following SyncML:
If you want to disable this policy, use the following SyncML:
```xml
<Replace>
@ -1309,6 +1264,7 @@ Value type is int. Supported operations are Add, Delete, Get, and Replace.
<!--SupportedValues-->
Supported values are:
- 0 Refresh off (default)
- 1 Refresh on for Azure AD-joined devices
- 2 Refresh on for both Azure AD-joined and hybrid-joined devices
@ -1322,16 +1278,16 @@ Supported values are:
<!--Description-->
This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
This setting refreshes all recovery passwords for OS and fixed drives (removable drives aren't included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
<!--/Description-->
The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure.
Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client will not retry, but if needed, the server can re-issue the execute request.
Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client won't retry, but if needed, the server can reissue the execute request.
Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh.
Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices cannot refresh recovery passwords if they are only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account.
Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices cant refresh recovery passwords if they're only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account.
Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
@ -1386,8 +1342,9 @@ This node reports compliance state of device encryption on the system.
Value type is int. Supported operation is Get.
Supported values:
- 0 - Indicates that the device is compliant.
- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table:
- Any non-zero value - Indicates that the device isn't compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table:
| Bit | Error Code |
|-----|------------|
@ -1467,7 +1424,7 @@ Value type is string. Supported operation is Get.
### SyncML example
The following example is provided to show proper format and should not be taken as a recommendation.
The following example is provided to show proper format and shouldn't be taken as a recommendation.
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">

2
windows/client-management/mdm/cellularsettings-csp.md
View File

@ -19,7 +19,7 @@ The CellularSettings configuration service provider is used to configure cellula
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider.
```console
./Vendor/MSFT

65
windows/client-management/mdm/certificatestore-csp.md
View File

@ -1,6 +1,6 @@
---
title: CertificateStore CSP
description: Use the The CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3
ms.reviewer:
manager: dansimp
@ -14,15 +14,12 @@ ms.date: 02/28/2020
# CertificateStore CSP
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
> [!Note]
> The CertificateStore configuration service provider does not support installing client certificates.
> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
For the CertificateStore CSP, you cannot use the Replace command unless the node already exists.
The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
@ -106,6 +103,7 @@ CertificateStore
----------------ValidTo
----------------TemplateName
```
<a href="" id="root-system"></a>**Root/System**
Defines the certificate store that contains root, or self-signed, certificates.
@ -114,8 +112,6 @@ Supported operation is Get.
> [!NOTE]
> Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates.
<a href="" id="ca-system"></a>**CA/System**
Defines the certificate store that contains cryptographic information, including intermediary certification authorities.
@ -124,8 +120,6 @@ Supported operation is Get.
> [!NOTE]
> CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
<a href="" id="my-user"></a>**My/User**
Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
@ -134,8 +128,6 @@ Supported operation is Get.
> [!NOTE]
> My/User is case sensitive.
<a href="" id="my-system"></a>**My/System**
Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
@ -144,15 +136,13 @@ Supported operation is Get.
> [!NOTE]
> My/System is case sensitive.
<a href="" id="certhash"></a>***CertHash***
Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
Supported operations are Get, Delete, and Replace.
<a href="" id="certhash-encodedcertificate"></a>***CertHash*/EncodedCertificate**
Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cant include extra formatting characters such as embedded linefeeds, etc.
Supported operations are Get, Add, Delete, and Replace.
@ -189,23 +179,19 @@ Supported operation is Get.
> [!NOTE]
> Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP.
<a href="" id="my-scep-uniqueid"></a>**My/SCEP/**<strong>*UniqueID*</strong>
Required for SCEP certificate enrollment. A unique ID to differentiate certificate enrollment requests. Format is node.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="my-scep-uniqueid-install"></a>**My/SCEP/*UniqueID*/Install**
Required for SCEP certificate enrollment. Parent node to group SCEP certificate install related request. Format is node.
Required for SCEP certificate enrollment. Parent node to group SCEP certificate installs related request. Format is node.
Supported operations are Add, Replace, and Delete.
> [!NOTE]
> Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values.
<a href="" id="my-scep-uniqueid-install-serverurl"></a>**My/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. The server could specify multiple server URLs separated by a semicolon. Value type is string.
@ -219,12 +205,12 @@ Supported operations are Get, Add, Replace, and Delete.
Challenge will be deleted shortly after the Exec command is accepted.
<a href="" id="my-scep-uniqueid-install-ekumapping"></a>**My/SCEP/*UniqueID*/Install/EKUMapping**
Required. Specifies the extended key usages and subject to SCEP server configuration. The list of OIDs are separated by a plus sign **+**, such as OID1+OID2+OID3. Value type is chr.
Required. Specifies the extended key usages and subject to SCEP server configuration. The list of OIDs is separated by a plus sign **+**, such as OID1+OID2+OID3. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-keyusage"></a>**My/SCEP/*UniqueID*/Install/KeyUsage**
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value does not have those bits set, configuration will fail. Value type is an integer.
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
@ -233,14 +219,14 @@ Required. Specifies the subject name.
The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
For more details, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-keyprotection"></a>**My/SCEP/*UniqueID*/Install/KeyProtection**
Optional. Specifies the location of the private key. Although the private key is protected by TPM, it is not protected with TPM PIN. SCEP enrolled certificate does not support TPM PIN protection.
Optional. Specifies the location of the private key. Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection.
Supported values are one of the following:
@ -260,12 +246,15 @@ Optional. Specifies the device retry waiting time in minutes when the SCEP serve
Supported operations are Get, Add, and Delete.
<a href="" id="my-scep-uniqueid-install-retrycount"></a>**My/SCEP/*UniqueID*/Install/RetryCount**
Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value cannot be larger than 30. If it is larger than 30, the device will use 30. The min value is 0, which means no retry.
Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value cant be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-templatename"></a>**My/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server; therefore, the MDM server typically does not need to provide it. Value type is chr.
Optional. OID of certificate template name.
>[!Note]
> Template name is typically ignored by the SCEP server; therefore, the MDM server typically doesn't need to provide it. Value type is chr.
Supported operations are Get, Add, and Delete.
@ -282,7 +271,7 @@ Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-cathumbprint"></a>**My/SCEP/*UniqueID*/Install/CAThumbprint**
Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it does not match, the authentication fails. Value type is chr.
Required. Specifies the root CA thumbprint. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
@ -305,8 +294,6 @@ Valid values are one of the following:
> [!NOTE]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
<a href="" id="my-scep-uniqueid-install-validperiodunits"></a>**My/SCEP/*UniqueID*/Install/ValidPeriodUnits**
Optional. Specifies desired number of units used in validity period and subject to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Value type is an integer.
@ -315,10 +302,8 @@ Supported operations are Get, Add, Delete, and Replace.
> [!NOTE]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
<a href="" id="my-scep-uniqueid-install-enroll"></a>**My/SCEP/*UniqueID*/Install/Enroll**
Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node does not contain a value.
Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value.
Supported operation is Exec.
@ -336,7 +321,7 @@ Valid values are one of the following:
- 1 Finished successfully.
- 2 Pending. The device has not finished the action, but has received the SCEP server pending response.
- 2 Pending. The device hasn't finished the action, but has received the SCEP server pending response.
- 16 - Action failed.
@ -348,7 +333,7 @@ Optional. The integer value that indicates the HRESULT of the last enrollment er
Supported operation is Get.
<a href="" id="my-scep-uniqueid-certthumbprint"></a>**My/SCEP/*UniqueID*/CertThumbprint**
Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr.
Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr.
Supported operation is Get.
@ -358,7 +343,7 @@ Required. Returns the URL of the SCEP server that responded to the enrollment re
Supported operation is Get.
<a href="" id="my-wstep"></a>**My/WSTEP**
Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that is enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Supported operation is Get.
@ -368,7 +353,7 @@ Optional. The parent node to group renewal related settings.
Supported operation is Get.
<a href="" id="my-wstep-renew-serverurl"></a>**My/WSTEP/Renew/ServerURL**
Optional. Specifies the URL of certificate renewal server. If this node does not exist, the client uses the initial certificate enrollment URL.
Optional. Specifies the URL of certificate renewal server. If this node doesn't exist, the client uses the initial certificate enrollment URL.
> [!NOTE]
> The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
@ -378,7 +363,7 @@ Optional. Specifies the URL of certificate renewal server. If this node does not
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="my-wstep-renew-renewalperiod"></a>**My/WSTEP/Renew/RenewalPeriod**
Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It is recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
The default value is 42 and the valid values are 1 1000. Value type is an integer.
@ -387,8 +372,6 @@ Supported operations are Add, Get, Delete, and Replace.
> [!NOTE]
> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
<a href="" id="my-wstep-renew-retryinterval"></a>**My/WSTEP/Renew/RetryInterval**
Optional. Specifies the retry interval (in days) when the previous renewal failed. It applies to both manual certificate renewal and ROBO automatic certificate renewal. The retry schedule stops at the certificate expiration date.
@ -403,8 +386,6 @@ Supported operations are Add, Get, Delete, and Replace.
> [!NOTE]
> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
<a href="" id="my-wstep-renew-robosupport"></a>**My/WSTEP/Renew/ROBOSupport**
Optional. Notifies the client if the MDM enrollment server supports ROBO auto certificate renewal. Value type is bool.
@ -415,8 +396,6 @@ Supported operations are Add, Get, Delete, and Replace.
> [!NOTE]
> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
<a href="" id="my-wstep-renew-status"></a>**My/WSTEP/Renew/Status**
Required. Shows the latest action status for this certificate. Value type is an integer.
@ -425,11 +404,8 @@ Supported operation is Get.
Supported values are one of the following:
- 0 Not started.
- 1 Renewal in progress.
- 2 Renewal succeeded.
- 3 Renewal failed.
<a href="" id="my-wstep-renew-errorcode"></a>**My/WSTEP/Renew/ErrorCode**
@ -454,7 +430,6 @@ Supported operations are Add, Get, and Replace.
## Examples
Add a root certificate to the MDM server.
```xml

2
windows/client-management/mdm/cleanpc-csp.md
View File

@ -16,12 +16,14 @@ manager: dansimp
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
The following shows the CleanPC configuration service provider in tree format.
```
./Device/Vendor/MSFT
CleanPC
----CleanPCWithoutRetainingUserData
----CleanPCRetainingUserData
```
<a href="" id="--device-vendor-msft-cleanpc"></a>**./Device/Vendor/MSFT/CleanPC**
<p>The root node for the CleanPC configuration service provider.</p>

2
windows/client-management/mdm/cleanpc-ddf.md
View File

@ -1,6 +1,6 @@
---
title: CleanPC DDF
description: This topic shows the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML.
description: Learn about the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B
ms.reviewer:
manager: dansimp

27
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -16,7 +16,7 @@ ms.date: 07/30/2021
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> [!Note]
> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
@ -24,6 +24,7 @@ For PFX certificate installation and SCEP installation, the SyncML commands must
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following shows the ClientCertificateInstall configuration service provider in tree format.
```
./Vendor/MSFT
ClientCertificateInstall
@ -65,6 +66,7 @@ ClientCertificateInstall
------------ErrorCode
------------RespondentServerUrl
```
<a href="" id="device-or-user"></a>**Device or User**
For device certificates, use <strong>./Device/Vendor/MSFT</strong> path and for user certificates use <strong>./User/Vendor/MSFT</strong> path.
@ -100,7 +102,7 @@ The data type is an integer corresponding to one of the following values:
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail.
Date type is string.
@ -115,7 +117,7 @@ Supported operations are Get, Add, and Replace.
If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in <a href="/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)" data-raw-source="[CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85))">CRYPT_INTEGER_BLOB</a>.
@ -131,7 +133,7 @@ Optional. Used to specify whether the PFX certificate password is encrypted with
The data type is int. Valid values:
- 0 - Password is not encrypted.
- 0 - Password isn't encrypted.
- 1 - Password is encrypted with the MDM certificate.
- 2 - Password is encrypted with custom certificate.
@ -140,7 +142,7 @@ When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCer
Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX isn't exportable when it's installed to TPM.
> [!Note]
> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
@ -202,7 +204,7 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-ekumapping"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus <strong>+</strong>. For example, <em>OID1</em>+<em>OID2</em>+<em>OID3</em>.
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs is separated by a plus <strong>+</strong>. For example, <em>OID1</em>+<em>OID2</em>+<em>OID3</em>.
Data type is string.
@ -213,7 +215,7 @@ Required. Specifies the subject name.
The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
For more details, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
Data type is string.
@ -330,7 +332,10 @@ Valid values are:
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node.
>[!Note]
> The valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
Data type is string.
@ -340,7 +345,7 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node isn't specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
Data type is string.
@ -354,7 +359,7 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
Required. Triggers the device to start the certificate enrollment. The device won't notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
The date type format is Null, meaning this node doesnt contain a value.
@ -368,7 +373,7 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-certthumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.

90
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -49,26 +49,26 @@ CM_CellularEntries
```
<a href="" id="entryname"></a>***entryname***
<p>Defines the name of the connection.</p>
Defines the name of the connection.</p>
<p>The <a href="cmpolicy-csp.md" data-raw-source="[CMPolicy configuration service provider](cmpolicy-csp.md)">CMPolicy configuration service provider</a> uses the value of <em>entryname</em> to identify the connection that is associated with a policy and <a href="cm-proxyentries-csp.md" data-raw-source="[CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md)">CM_ProxyEntries configuration service provider</a> uses the value of <em>entryname</em> to identify the connection that is associated with a proxy.</p>
The [CMPolicy configuration service provider](cmpolicy-csp.md) uses the value of *entryname* to identify the connection that is associated with a policy and [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) uses the value of *entryname* to identify the connection that is associated with a proxy.</p>
<a href="" id="alwayson"></a>**AlwaysOn**
<p>Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
<p>A value of &quot;0&quot; specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
<p>A value of &quot;1&quot; specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.
A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.
<p>There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
<a href="" id="authtype"></a>**AuthType**
<p>Optional. Type: String. Specifies the method of authentication used for a connection.
Optional. Type: String. Specifies the method of authentication used for a connection.
<p>A value of &quot;CHAP&quot; specifies the Challenge Handshake Application Protocol. A value of &quot;PAP&quot; specifies the Password Authentication Protocol. A value of &quot;None&quot; specifies that the UserName and Password parameters are ignored. The default value is &quot;None&quot;.
A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None".
<a href="" id="connectiontype"></a>**ConnectionType**
<p>Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
|Connection type|Usage|
|--- |--- |
@ -79,51 +79,49 @@ CM_CellularEntries
|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi|
|Iwlan|Used for connections that are implemented over WiFi offload only|
<a href="" id="desc-langid"></a>**Desc.langid**
<p>Optional. Specifies the UI display string used by the defined language ID.
Optional. Specifies the UI display string used by the defined language ID.
<p> A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as <code>Desc.0409</code> with a value of <code>&quot;GPRS Connection&quot;</code> will force &quot;GPRS Connection&quot; to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no <strong>Desc</strong> parameter is provisioned for a given language, the system will default to the name used to create the entry.
A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as <code>Desc.0409</code> with a value of <code>"GPRS Connection"</code> will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no <strong>Desc</strong> parameter is provisioned for a given language, the system will default to the name used to create the entry.
<a href="" id="enabled"></a>**Enabled**
<p> Specifies if the connection is enabled.
Specifies if the connection is enabled.
<p> A value of &quot;0&quot; specifies that the connection is disabled. A value of &quot;1&quot; specifies that the connection is enabled.
A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled.
<a href="" id="ipheadercompression"></a>**IpHeaderCompression**
<p> Optional. Specifies if IP header compression is enabled.
Optional. Specifies if IP header compression is enabled.
<p> A value of &quot;0&quot; specifies that IP header compression for the connection is disabled. A value of &quot;1&quot; specifies that IP header compression for the connection is enabled.
A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled.
<a href="" id="password"></a>**Password**
<p> Required if AuthType is set to a value other than &quot;None&quot;. Specifies the password used to connect to the APN.
Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN.
<a href="" id="swcompression"></a>**SwCompression**
<p> Optional. Specifies if software compression is enabled.
Optional. Specifies if software compression is enabled.
<p> A value of &quot;0&quot; specifies that software compression for the connection is disabled. A value of &quot;1&quot; specifies that software compression for the connection is enabled.
A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled.
<a href="" id="username"></a>**UserName**
<p> Required if AuthType is set to a value other than &quot;None&quot;. Specifies the user name used to connect to the APN.
Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN.
<a href="" id="userequiresmappingspolicy"></a>**UseRequiresMappingsPolicy**
<p> Optional. Specifies if the connection requires a corresponding mappings policy.
Optional. Specifies if the connection requires a corresponding mappings policy.
<p> A value of &quot;0&quot; specifies that the connection can be used for any general Internet communications. A value of &quot;1&quot; specifies that the connection is only used if a mapping policy is present.
A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
<p> For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to &quot;1&quot; and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
<a href="" id="version"></a>**Version**
<p> Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager&#39;s configuration service provider.
Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
<p> This value must be &quot;1&quot; if included.
This value must be "1" if included.
<a href="" id="gprsinfoaccesspointname"></a>**GPRSInfoAccessPointName**
<p> Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 &quot;10.1.1 Define PDP Context +CGDCONT&quot;.
Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT".
<a href="" id="roaming"></a>**Roaming**
<p> Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available:
Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available:
- 0 - Home network only.
- 1 (default)- All roaming conditions (home and roaming).
@ -133,57 +131,53 @@ CM_CellularEntries
- 5 - Roaming only.
<a href="" id="oemconnectionid"></a>**OEMConnectionID**
<p> Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
<a href="" id="apnid"></a>**ApnId**
<p> Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is &quot;0&quot; (none). This parameter is only used on LTE devices.
Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices.
<a href="" id="iptype"></a>**IPType**
<p> Optional. Type: String. Specifies the network protocol of the connection. Available values are &quot;IPv4&quot;, &quot;IPv6&quot;, &quot;IPv4v6&quot;, and &quot;IPv4v6xlat&quot;. If a value is not specified, the default value is &quot;IPv4&quot;.
Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value isn't specified, the default value is "IPv4".
> [!WARNING]
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
<a href="" id="exemptfromdisablepolicy"></a>**ExemptFromDisablePolicy**
<p> Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of &quot;0&quot; specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of &quot;1&quot; specifies that the connection is exempt. If a value is not specified, the default value is &quot;0&quot; (not exempt).
Added back in Windows 10, version 1511.Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value isn't specified, the default value is "0" (not exempt).
<p> To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to &quot;1&quot;. This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF.
>[!Note]
> Sending MMS while roaming is still not allowed.
> [!IMPORTANT]
> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections.
<p> To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
- Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1)
- Set AllowMMSIfDataIsOff to 1 (default is 0)
<a href="" id="exemptfromroaming"></a>**ExemptFromRoaming**
<p> Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of &quot;0&quot; specifies that the connection is subject to the roaming policy (not exempt). A value of &quot;1&quot; specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is &quot;0&quot; (not exempt).
Added back in Windows 10, version 1511.Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt).
<a href="" id="tetheringnai"></a>**TetheringNAI**
<p> Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of &quot;0&quot; specifies that the connection is not a tethering connection. A value of &quot;1&quot; specifies that the connection is a tethering connection. If a value is not specified, the default value is &quot;0&quot;.
Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0".
<a href="" id="idledisconnecttimeout"></a>**IdleDisconnectTimeout**
<p> Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
> [!IMPORTANT]
> <p> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
> [!NOTE]
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
<a href="" id="simiccid"></a>**SimIccId**
<p> For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
For single SIM phones, this parm isOptional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
<a href="" id="purposegroups"></a>**PurposeGroups**
<p> Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
- LTE attach - 11A6FE68-5B47-4859-9CB6-1EAC96A8F0BD
@ -197,7 +191,6 @@ CM_CellularEntries
## Additional information
To delete a connection, you must first delete any associated proxies and then delete the connection. The following example shows how to delete the proxy and then the connection.
```xml
@ -213,7 +206,6 @@ To delete a connection, you must first delete any associated proxies and then de
## OMA client provisioning examples
Configuring a GPRS connection:
```xml

11
windows/client-management/mdm/cmpolicy-csp.md
View File

@ -23,7 +23,7 @@ The CMPolicy configuration service provider defines rules that the Connection Ma
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
@ -67,12 +67,12 @@ The following list describes the available mapping policy types:
<a href="" id="host"></a>**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn**<strong>*XXX*</strong>
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits, which increment starting from "000". For example, a policy, which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
@ -93,7 +93,6 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th
|Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
|Network type|GUID|
@ -113,7 +112,6 @@ For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network typ
|Ethernet 100 Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}|
|Ethernet Gbps|{556C1E6B-B8D4-448E-836D-9451BA4CCE75}|
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
|Device type|GUID|
@ -123,8 +121,6 @@ For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type.
|Bluetooth|{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}|
|Virtual|{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}|
<a href="" id="type"></a>**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
@ -232,7 +228,6 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C
## OMA DM examples
Adding an application-based mapping policy:
```xml

9
windows/client-management/mdm/cmpolicyenterprise-csp.md
View File

@ -14,17 +14,14 @@ ms.date: 06/26/2017
# CMPolicyEnterprise CSP
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
@ -72,10 +69,10 @@ The host pattern can have two wild cards, "\*" and "+". The host pattern is not
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn**<strong>*XXX*</strong>
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy which is applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.