From 42dbc9d9d2a1906b1721fdc24851007db6aca175 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 10 Jul 2019 12:32:01 -0700 Subject: [PATCH 1/8] Added ApplicationControlCSP content --- .../mdm/applicationcontrol-csp-ddf.md | 906 ++++++++++++++++++ .../mdm/applicationcontrol-csp.md | 191 ++++ .../provisioning-csp-applicationcontrol.png | Bin 0 -> 22335 bytes 3 files changed, 1097 insertions(+) create mode 100644 windows/client-management/mdm/applicationcontrol-csp-ddf.md create mode 100644 windows/client-management/mdm/applicationcontrol-csp.md create mode 100644 windows/client-management/mdm/images/provisioning-csp-applicationcontrol.png diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md new file mode 100644 index 0000000000..85e0516dfd --- /dev/null +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -0,0 +1,906 @@ +--- +title: EnrollmentStatusTracking CSP +description: EnrollmentStatusTracking CSP +ms.author: dansimp@microsoft.com +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: ManikaDhiman +ms.date: 05/17/2019 +--- + +# EnrollmentStatusTracking DDF + + +This topic shows the OMA DM device description framework (DDF) for the **EnrollmentStatusTracking** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +### EnrollmentStatusTracking CSP + +```xml + +]> + + 1.2 + + EnrollmentStatusTracking + ./User/Vendor/MSFT + + + + + These settings are used to communicate what policies the Enrollment Status Page (ESP) should block on. Using these settings, policy providers register themselves and the set of policies that need to be tracked. The ESP will include the counts of these policy sets in the status message to the user, and blocks progress on that page until all policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which will then be reflected in the ESP status message. + + + + + + + + + + + com.microsoft/1.0/MDM/EnrollmentStatusTracking + + + + Setup + + + + + These settings are read by the Enrollment Status Page (ESP) during the Account Setup phase. Policy providers use these nodes to communicate progress state back to the ESP, which is then displayed to the user through progress message updates. + + + + + + + + + + + + + + + + + + Apps + + + + + Policy providers use these settings to communicate to the ESP which app installations it should block on and provide progress in the status message to the user. + + + + + + + + + + + + + + + + + + PolicyProviders + + + + + These settings are read by the Enrollment Status Page (ESP) during the Device Setup phase. Policy providers use these nodes to communicate progress state back to the ESP, which is then displayed to the user through progress message updates. + + + + + + + + + + + + + + + + + + + + + + + + + + This node represents an app policy provider for the Enrollment Status Page (ESP). Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true. + + + + + + + + + + + + + ProviderName + + + + + + TrackingPoliciesCreated + + + + + + + + Indicates when the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server. + + + + + + + + + + + + + + text/plain + + + + + + + Tracking + + + + + This node represents an app policy provider for the Enrollment Status Page (ESP). Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true. + + + + + + + + + + + + + + + + + + + + + + + + + + The name of the provider responsible for installing these apps and providing status back to the Enrollment Status Page. + + + + + + + + + + + + + ProviderName + + + + + + + + + + + + + + A unique name for the app whose progress should be tracked in the ESP. The app name can be arbitrary as it is not used directly by the ESP, so the value can be defined however the policy provider chooses. + + + + + + + + + + + + + AppName + + + + + + TrackingUri + + + + + + + + An optional URI to another CSP for tracking the apps installation. If this value is not set, installation status is derived from the InstallationState node. + + + + + + + + + + + + + + text/plain + + + + + InstallationState + + + + + + + + The installation state for the app. This node should be updated by the policy providers (not the MDM server) so the ESP can track the installation progress and update the status message. Expected values: 1 = NotInstalled, 2 = InProgress, 3 = Completed, 4 = Error + + + + + + + + + + + + + + text/plain + + + + + RebootRequired + + + + + + + + An optional node indicating if the app installation requires the ESP to issue a reboot. This node should be set by the policy provider installing the app (not the MDM server). Expected values: 1 = NotRequired, 2 = SoftReboot, 3 = HardReboot. If this node is not set, the ESP will not reboot the device for this app install. + + + + + + + + + + + + + + text/plain + + + + + + + + + HasProvisioningCompleted + + + + + false + This node is set by the Enrollment Status Page (ESP) when it completes. Providers are able to query this node to determine if the ESP is showing, allowing them to bifurcate their logic accordingly. For instance, when an app install requires a reboot, the policy provider should let the ESP issue the reboot by setting RebootRequired value for that app if and only if the ESP is running, otherwise, the policy provider is responsible for issuing a reboot themselves. + + + + + + + + + + + + + + text/plain + + + + + + + EnrollmentStatusTracking + ./Device/Vendor/MSFT + + + + + These settings are used to communicate what policies the Enrollment Status Page (ESP) should block on. Using these settings, policy providers register themselves and the set of policies that need to be tracked. The ESP will include the counts of these policy sets in the status message to the user, and blocks progress on that page until all policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which will then be reflected in the ESP status message. + + + + + + + + + + + com.microsoft/1.0/MDM/EnrollmentStatusTracking + + + + DevicePreparation + + + + + These settings are read by the Enrollment Status Page (ESP) during the Device Preparation phase. These setting are used to orchestrate any setup activities prior to provisioning the device in the Device Setup phase of the ESP. + + + + + + + + + + + + + + + + + + PolicyProviders + + + + + These nodes indicate to the Enrollment Status Page (ESP) that it should wait in the Device Preparation phase until all PolicyProviders are installed or marked as not required. + + + + + + + + + + + + + + + + + + + + + + + + + + This node represents a policy provider for the Enrollment Status Page (ESP). The node should be given a unique name for the policy provider. Registration of a policy provider indicates to the Enrollment Status Page that it should block in the Device Preparation phase until the provider sets its InstallationState node to 1 (not required) or 2 (complete). Once all registered policy providers have been marked as completed (or not required), the Enrollment Status Page will progress to the Device Setup phase. + + + + + + + + + + ProviderName + + + + + + InstallationState + + + + + + + + This node communicates the policy provider installation state back to the Enrollment Status Page. Expected values: 1 = NotInstalled, 2 = NotRequired, 3= Completed, 4 = Error. + + + + + + + + + + + + + + text/plain + + + + + LastError + + + + + + + + If a policy provider fails to install, it can optionally set an HRESULT error code that the Enrollment Status Page can display in an error message to the user. This node will only be read by the Enrollment Status Page when the provider's InstallationState node is set to 3 (Error). This node is only intended to be set by the policy provider itself, not the MDM server. + + + + + + + + + + + text/plain + + + + + Timeout + + + + + + + + An optional timeout (in minutes) for provider installation to complete before the Enrollment Status Page shows an error. Provider installation is considered complete when the InstallationState node is set to 2 (NotRequired) or 3 (Complete). If no timeout value is supplied the ESP will choose a default timeout value of 15 minutes. + + + + + + + + + + + + + + text/plain + + + + + TrackedResourceTypes + + + + + + + + This node's children registers which resource types the policy provider supports for provisioning. Only registered providers for a particular resource type will have their policies incorporated with Enrollment Status Page tracking message. + + + + + + + + + + + + + + + + + + Apps + + + + + + + + false + This node registers the policy provider for App provisioning. + + + + + + + + + + + + + + text/plain + + + + + + + + + Setup + + + + + These settings are read by the Enrollment Status Page (ESP) during the Device Setup phase. Policy providers use these nodes to communicate progress state back to the ESP, which is then displayed to the user through progress message updates. + + + + + + + + + + + + + + + + + + Apps + + + + + These settings are used to communicate what policies the Enrollment Status Page (ESP) should block on. Using these settings, policy providers register themselves and the set of policies that need to be tracked. The ESP will include the counts of these policy sets in the status message to the user, and blocks progress on that page until all policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which will then be reflected in the ESP status message. + + + + + + + + + + + + + + + + + + PolicyProviders + + + + + App policy providers for this CSP. These are the policy providers the ESP should wait on before showing the tracking message with status to the user. + + + + + + + + + + + + + + + + + + + + + + + + + + This node represents an app policy provider for the Enrollment Status Page (ESP). Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true. + + + + + + + + + + + + + ProviderName + + + + + + TrackingPoliciesCreated + + + + + + + + Indicates when the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server. + + + + + + + + + + + + + + text/plain + + + + + + + Tracking + + + + + These are the set of apps that are being tracked by the Enrollment Status Page. + + + + + + + + + + + + + + + + + + + + + + + + + + The name of the provider responsible for installing these apps and providing status back to the Enrollment Status Page. + + + + + + + + + + + + + ProviderName + + + + + + + + + + + + + + A unique name for the app whose progress should be tracked in the ESP. The app name can be arbitrary as it is not used directly by the ESP, so the value can be defined however the policy provider chooses. + + + + + + + + + + + + + AppName + + + + + + TrackingUri + + + + + + + + An optional URI to another CSP for tracking the apps installation. If this value is not set, installation status is derived from the InstallationState node. + + + + + + + + + + + + + + text/plain + + + + + InstallationState + + + + + + + + The installation state for the app. This node should be updated by the policy providers (not the MDM server) so the ESP can track the installation progress and update the status message. Expected values: 1 = NotInstalled, 2 = InProgress, 3 = Completed, 4 = Error + + + + + + + + + + + + + + text/plain + + + + + RebootRequired + + + + + + + + An optional node indicating if the app installation requires the ESP to issue a reboot. This node should be set by the policy provider installing the app (not the MDM server). Expected values: 1 = NotRequired, 2 = SoftReboot, 3 = HardReboot. If this node is not set, the ESP will not reboot the device for this app install. + + + + + + + + + + + + + + text/plain + + + + + + + + + HasProvisioningCompleted + + + + + false + This node is set by the Enrollment Status Page (ESP) when it completes. Providers are able to query this node to determine if the ESP is showing, allowing them to bifurcate their logic accordingly. For instance, when an app install requires a reboot, the policy provider should let the ESP issue the reboot by setting RebootRequired value for that app if and only if the ESP is running, otherwise, the policy provider is responsible for issuing a reboot themselves. + + + + + + + + + + + + + + text/plain + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md new file mode 100644 index 0000000000..d352156f6c --- /dev/null +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -0,0 +1,191 @@ +--- +title: ApplicationControl CSP +description: ApplicationControl CSP +ms.author: dansimp@microsoft.com +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: ManikaDhiman +ms.date: 05/21/2019 +--- + +# ApplicationControl CSP + +Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the AppLocker CSP, the ApplicationControl CSP correctly detects the presence of the no-reboot option and consequently does not schedule a reboot. +Existing WDAC policies which were deployed using the AppLocker CSP’s CodeIntegrity node can be deployed via the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will occur in the ApplicationControl CSP only. + +The ApplicationControl CSP was added in Windows 10, version 1903. + +The following diagram shows the ApplicationControl CSP in tree format. + +![tree diagram for applicationcontrol csp](images/provisioning-csp-applicationcontrol.png) + +**./Vendor/MSFT/ApplicationControl** +Defines the root node for the ApplicationControl CSP. + +Scope is permanent. Supported operation is Get. + +**ApplicationControl/Policies** +This subtree contains all the policies, which are each identified by their GUID. + +Scope is permanent. Supported operation is Get. + +**ApplicationControl/Policies/_Policy GUID_** +The ApplicationControl CSP enforces that the “ID” segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each Policy GUID node contains a Policy node and a corresponding PolicyInfo node. + +Scope is dynamic. Supported operation is Get. + +**ApplicationControl/Policies/_Policy GUID_/Policy** +This node is the policy binary itself, which is encoded as base64. + +Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +Value type is b64. Supported value is any well-formed WDAC policy, i.e. the base64-encoded content output by the ConvertFrom-CIPolicy cmdlet. + +Default value is empty. + + +**ApplicationControl/Policies/_Policy GUID_/PolicyInfo** +This subtree has nodes containing information which describes the policy indicated by the GUID. + +Scope is dynamic. Supported operation is Get. + +**EApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version** +This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type. + +Scope is dynamic. Supported operation is Get. + +Value type is char. + +**EApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** +This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system. + +Scope is dynamic. Supported operation is Get. + +Value type is bool. Supported values are as follows: +- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system. +- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default. + + +**EApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** +This node specifies whether a policy is on the system and is present on the physical machine. + +Scope is dynamic. Supported operation is Get. + +Value type is bool. Supported values are as follows: +- True — Indicates that the policy is on the system and is present on the physical machine. +- False — Indicates that the policy is not on the system and is not present on the physical machine. This is the default. + + +**EApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** +This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system. + +Scope is dynamic. Supported operation is Get. + +Value type is bool. Supported values are as follows: +- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. +- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. + + +The following table provides the policy output based on different combinations of PolicyInfo nodes values: + +**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes** +Required. This node is supported only in device context. +This node's children register which resource types the policy provider supports for provisioning. Only registered providers for a particular resource type will have their policies incorporated with ESP tracking message. + +Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes/Apps** +Required. This node is supported only in device context. +This node specifies if the policy provider is registered for app provisioning. + +Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +Value type is boolean. Expected values are as follows: +- false — Indicates that the policy provider is not registered for app provisioning. This is the default. +- true — Indicates that the policy provider is registered for app provisioning. + +**EnrollmentStatusTracking/Setup** +Required. This node is supported in both user context and device context. +Provides the settings that ESP reads during the account setup phase in the user context and device setup phase in the device context. Policy providers use this node to communicate progress status back to the ESP, which is then displayed to the user through progress messages. + +Scope is permanent. Supported operation is Get. + +**EnrollmentStatusTracking/Setup/Apps** +Required. This node is supported in both user context and device context. +Provides the settings to communicate to the ESP which app installations it should block on and provide progress in the status message to the user. + +Scope is permanent. Supported operation is Get. + +**EnrollmentStatusTracking/Setup/Apps/PolicyProviders** +Required. This node is supported in both user context and device context. +Specifies the app policy providers for this CSP. These are the policy providers the ESP should wait on before showing the tracking message with the status to the user. + +Scope is permanent. Supported operation is Get. + +**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName*** +Optional. This node is supported in both user context and device context. +Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true. + +Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +**EnrollmentStatusTracking/Setup/Apps/PolicyProviders/*ProviderName*/TrackingPoliciesCreated** +Required. This node is supported in both user context and device context. +Indicates if the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server. + +Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +Value type is boolean. The expected values are as follows: +- true — Indicates that the provider has created the required policies. +- false — Indicates that the provider has not created the required policies. This is the default. + +**EnrollmentStatusTracking/Setup/Apps/Tracking** +Required. This node is supported in both user context and device context. +Root node for the app installations being tracked by the ESP. + +Scope is permanent. Supported operation is Get. + +**EnrollmentStatusTracking/Setup/Apps/Tracking/_ProviderName_** +Optional. This node is supported in both user context and device context. +Indicates the provider name responsible for installing the apps and providing status back to ESP. + +Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_** +Optional. This node is supported in both user context and device context. +Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP does not use the app name directly. + +Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/InstallationState** +Optional. This node is supported in both user context and device context. +Represents the installation state for the app. The policy providers (not the MDM server) must update this node for the ESP to track the installation progress and update the status message. + +Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +Value type is integer. Expected values are as follows: +- 1 — NotInstalled +- 2 — InProgress +- 3 — Completed +- 4 — Error + +**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired** +Optional. This node is supported in both user context and device context. +Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers do not set this node, the ESP will not reboot the device for the app installation. + +Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + +Value type is integer. Expected values are as follows: +- 1 — NotRequired +- 2 — SoftReboot +- 3 — HardReboot + +**EnrollmentStatusTracking/Setup/HasProvisioningCompleted** +Required. This node is supported in both user context and device context. +ESP sets this node when it completes. Providers can query this node to determine if the ESP is showing, which allows them to determine if they still need to provide status updates for the ESP through this CSP. + +Scope is permanent. Supported operation is Get. + +Value type is boolean. Expected values are as follows: +- true — Indicates that ESP has completed. This is the default. +- false — Indicates that ESP is displayed, and provisioning is still going. \ No newline at end of file diff --git a/windows/client-management/mdm/images/provisioning-csp-applicationcontrol.png b/windows/client-management/mdm/images/provisioning-csp-applicationcontrol.png new file mode 100644 index 0000000000000000000000000000000000000000..012b0b392b9b87be370a7c80e0c2756e61141fe7 GIT binary patch literal 22335 zcmeFZcU)6hyEYtk6cvTBB7!n1!YCyO0s;bdq>BZl2Bb-ibg9t+WR#|~Pz>nMR15(r zAwUv}A{`0ROGKKXg&vZS>~95T=6TNZzUMvfIp2Thynp!PC+xlU+H2kAy07bA`{@k> zt=&5h?}Wi%yS1-hxe0@9xdZ-bZQl%jV-)&r6Zo;o>!#KvSbnQ04gBXP$BX(GVX(qj z{xzGe;Qu=wTsQTC!496}{oAB{Q+y5vGybZ5<>Kv!Rx^VfFVP7b$<;MK)uTu5=kNZD% zCrO*eZ92RwGh4vA>R#dY`Sg@oe_DEa^*3xrN_tx^Y3%r6^+ENy&`DhS?9sJWbr{Uy zDVGl>XTGEfd(`^}vE$HsU?|V6h1W!jDEs>QQmDIO z$)_tAluw?^GeW2en|;HY<0%LcSn|WmY%1A;?EBh( zcFOT+D`xJBIQq-xHbunU3f4td(-v4fwhSV&hj0ez2)PMK`H=JwS|F0dF=I*n1l#xi z6+~p!C5lzfnGn3vexFW7!nsT-oYjKGcGx~yDl`<}xBN6iJzXvDX?^mJ17D?=8Mo=k~d|d1}0Y+z@c|4 z=Lan>6%IJPFHbQaC}+$Q>w?trl{G2Vcu^Td&`Jl|%G3Z=0<*5k;vl`eib&q_egb)( zll&r#+2Bg6CU|V}==0Kp&V;du#2rCRiLDKb{E#QdY=ONMw(sN&3T+~*;X7G9u;YDA z3W5xV50q+QJLkC!i`AMN$vc*o-mQ7ryN5xZHFrmux{z^Q=H^bV%ebT#i-mX3qdNzj zhs|BETMS4Qop+mEb4w{qW2I>3l9uY}E$r0B^8w%Eo6v_F=t3~P1Y@YeYoaxL4DIQN z(~)$Nd>!d+X0kx97F~X6fr{}(1S1Iy`?zCt^{n1Qlm=Be)y&)!`Tjj#%^PRoVBAx0 zcWjAl>@h7vb0y>Lyia0sURvfOkw{6h6HHFUj6?4$anV#|4-UM|Yt(kuSDio`Xf6Ao zt>SvC<8m@%iXr9+DZ?{%fw#c?zy;=q4xII72hff83*_kV6pGJ z_*S$C-{#@3iJBST2HXux7&;u|daELp);5VhaXFI!Q{OSt$=_5Os! zr5(Li$8@`#kk|^d5VjL)vj3rauchzEU?(f4)OfD1^=PE|?P2rTKtEbj5xtm*&RRTh z@FR2ft3$<&AnV;Q;mV`GSD0BCWKuau!@cAaZjk+wcoi9H$ zc997W)nwL)nS_5Ad<>I&?BK#h-p$Jpe*#6DzF5w>?wKtc!LfnzlYm&yS{%x@M*TE3N z%SnklO|QQhmog`1p)iB`q_W0UUb??%60fyPwh?KNX%oGfFCR0D(xzOVbbIildg9hH zcY>=4llUU74w-vvp}p~KEDCmJT8@ZC?sdnLa1TQ0oUp16~8iuheUCZy>q zM;e>P)IYF9wkvtQk};(ZVN_0Ya0kS=o7dOo+h5_c*X3D!$V)5yizvS-tK6w5tD-K~ zVoh5W?O!iMGXoHx59dMQ&Gs6XaGm*md@5hU7Anl?X)by2ElAg)DTvS=g zid+)f0h73M5#r}%s-@hbjr)^EHfg zh=1SXIjf-qmFxR<+81-#bX~lH_cKJ#tcVhbn^ED|K~s ziQTergoT-vm6fy7q^@N4Xb`)ZUmIex-WCy%+B*mZYc~(AHML|nNeSVshyhbw*ro0* zu$;zO4!tf~1f72tn1=>)5g9V})ln1JU(6A*;UA-3pHU3Kkh#IOW)xkMyNYTE*41gc zY)FNA-tv*5weD6$#C=kwH>ccX9;TOK#KS}iXUQEx=`2b^+o-|g<9ipvGlC{*UQ~V= zxi!a|ESD{?eaQPzAcKhLL>oAV9IucluA0lx24JtRwbg*d27d>554{g z8lKkw9uzp=1}FFJB5Tm#dtrL-f*^iJ+?a{%+L$49&d+_{3(G|?rCMC<&h1rUO$;)k zGQ^a*uh;L=*2*>Kj&N(3glP^$&@y(9B0?l_znG!AA0n(a|#6@ANPAvMk}VyL3KGiI*_4Zg|ioG?PQV9mnW2Fp3)zN z)b_>m+^wZ)x5?v8$$Cyug~v!87-Fo|CO)NavhVZoM-+WXM*+fKZndtxuhduJ-t31K zHPY!ZB9@ksx&lJAOS_c1gvO_~IJLDpZ*C6e&nXH~5+tN-<7rAv$blOg{5qrK__&s$57Aa&30kH;dTM;ZJu z37tG>kQB@gT6CSAR(!49#)?kNJS`P`D$_<(U->Y`+jD+M$15M@kF_%IHTwbyoLSC} zPfJT{Kpuwa#TY~VJv|Q>CaBGratVcokDWS;B<6Bf^{C0Y=G#S3XJ04t2QHlyVTk+J90ryGyftqM%;wXH~$ z;LWzyT7zmU6h*aY1%+sIFd|${U*O!LQpD(um9nY8=}M)wgc@i?_6MEBcr4cb)A;LL zI>KG{yC})$fphRuwixt94Ib{^JA=Tx3FMTd;6S?NDt%^<} z>^^fgy_kAdgdpkMVG#dTI@8QGL~FQ*g;$z>)DNE~;ie7Z2kq4?Yy{k5kDZ{})_=1b zJr~%<`CUR$x8;c@A751#6GQV~%?utfLz!GZd?8wCmSsKW-Z^P zRqu}JhMvs)O0Jv>wm%rt4+$V+k7cqEIqH(aF7$>bNfLx{AwA%Q4m`lywM$DNs~P&1 z;@-6Edb?HI=Q={8RrOeCo_*4;w~B=CLV=Xj1(|WWi`2yLCF*}&;aKew0T9q{>O+e?T`KC1_JUUil{c^G(kkBBl zeKboZnKYRN4abq}R@4lX50__-J_;0(4nd?SCDF@1sWhw45}{~3<25|veHc`>6MCA+ zE!|XQcb^J%TLk=|vArg+4LY75#8OH5a#;rxG$FLB%-2^#`mS5qM{-4?mBkL;TqDW5 zNn>viJ&luV2S$e2)Qw3tE_|3kZAw1ZF~5c+`7XtIhd)-MER_6G(RXetY*&7gW!%}y zW8F6+b@Zx3BD^t$zGue++e!=VFs~yp<8q91L*RAq28wYP8lGxy+5k(+)Bw(UFhjJjYP2w8JfAm9|1JgdT}SN5kslW_yJ-1cRJjkjJ0~d4EoOl=$hqVRig2~7{i#`1 zf@SQ(qrOX<@Nq7-w4=3!yMu;o+_Krifm#KhEr)DTb-nE0(S~{?&&eVatBRL@flWcp zwYgq&I?s!LZAc-JeeEdjB7-@J`7eVeJt0ZT?q;)StK14RRBb(6+cB%=T3qZ~7o^#4W#XiL@J5ewM_v9;qld%2S$?V zg_;%g;L#>YabBtD(w)Cy`(_-Zqod>7-sB#0Sp3Qj?|Ef?%7F!Zc!@)iYKcQnM$Dl? z1IYPAQkZN>Y8Pqcnmh{1>|$V7GH~~WG9Ncmy6aR?Dw%HvzOtY%*Yk`WG%N}d|1dcK zK)NT&GPCmupVGtM14S3rR~*qq`pSa#?-81?WIZfbsIs(tp`-&k<+qaB7#sVntull_jHx$fPTZV(c-XX*>l=ub3 z>4-oCkLdgb6U}ZtLbn>M@>NeCrAc?kGbGwRL#Yw15fp@ zTpI)~YPPN1YSC>5)@`E~INg4&eawFRdujMp_!(7a1E7 zra-mLJ(>`==qSm}pa$L>yG0Ei;WvbwX3cLJ#LbI^?5V-k0@Q-2@O5)^l;o&ydUWcH zF{B%|I1nKgQr2~_HHe2H8<<^&xUdDG1*#!*oFQ{cvSC$_yxosJq>nlSv+kSze;D%r z4h)OC^9rV+uou7x5(R`{63GBUH_}nc?gI}2d54C}%D~|nmigUigJ)6ogmHeGH_`~# zN=_@h_M3LZ9@xHX0E=fYlPml{I;*Y#NRo&0SSb;IfknG!o;4v~`k&pEK8Fyn`6YZf zK|mTN5z2cG4P}DMSC%C$5htMUzU$G66uT zLRM=@J2X{3@rCy?1QNcBCtevSsW3lO21>1k=p%DMWde4e?E+P4rrWq$OLWi#Jl3oO*s z-rLcr5HB}cQ{{Ew&@Tr;*&-SM1x|D$Ax_(ev7DW6v0;>?hQ2yh4Im)<4hc`ATCN3# zMl)yQ_VDgZ0&Y8YdDEtQ?O-OuE99h+?cabItbj@dV2qJw+Op!|Et zO(se)51*UpC>{Iqp*8c~i6fD)1YNL{5&aOLhBGG)w~e+oCSIpN@!U{J&*Q+5^nSXpv69AKjUKX9&7}bQ1BtKnZNWyVP`${#JL{m*KAn2<@bfzE|Hnbqv5ofCs?|#^3A&kJ2(zqZ38EgH54fX)S0ti zCxV@|^9AgbR)ui{f(Kz2~p~-IwRa+YG@NMkVl%sJPmh0zBAQ6d}7$mIm5AcqAxzL8Fn;a>4G{oHp$ zn-OS7kq|BdNj47_L@gb* z@|?raB}Bx2M0VB}!PS|=5n?$T##uDgicu3vLNsFHq+S%V5ZA})zQsE&{PyO@53&*U z18dHV6AqV5L?-AcJ4S!%+|+=_p_@1vUmY9vn|I95nnwdz+-wJ1khqS-z!I)QX-+tj z#~8?%V+PH~PmThJzyVxK$K&l62utLYQX(~7k7d0f;5Zzo;`*e zT1%VYp7jejs6t6z+wwc`OCM|n42}sL{kVmoP+Y%f45V_40OlIt@H&odzd&2koE@z6 zUu2GT9NP-3}H#ALejIV1C*4N+YmwXfTtX99XQUXcj&f|ET+PL z(Lwbq>~|gL#K_7_KgiALfNTRH)q8fo?1$K}$G3sxvn|mua8t4@2DLYaXh;F@~^wHT3TAXtvAUDFKIpjVJLPeXlfaht3pYw zJR%RE2wi1F@QPXnYgXhK%4ZVkNll#(d%bs?-XSFMNSAZtxPIOU+ZeC*fICOP7N%OUg( zp#I+8Ue^lWnZCoj0EZDRcb$h9VnnP5S`PFMg~`4w#tLK}7Tl=OKK%=0bFvWK%A zY9%^G&f4JznAaGC4E8^rytD`gN>U4t6cx`vjqih27m;hZ2UFU*e0c>c;u>>i7Wbvz<-6W?tN?a*8qf9B(^(Wrb|tCn~Ch|sRJ|iH6P}_rRcs^x?L<5lYh2ID0Rwfamt0$BHgX8 zAe=lSvX-*nuQz}ddfGn5D?^2Perg2vx&}C9Z00Pg1&t=n#T$+pG{h%-r zK4IYbTnrgq^!df$S#ep5{K;u~U)h|P2?q6M zQxRRLeca$Orr3n$YOA4S1vCZ^ev*I7+({_aeO?D%VG?Z-pSNT3F1rS8NNjTQp%)TKz-i;L?Psn z-n+Rfj!zN)h&SlleLLgvwZycmO@{BHovpFrTJp23+L+S~7c517&Ezx)wNxj5e#rb{ zrM9OXdd0JW+{BVJj*y$+nSCgZ-#3b*M(w+{ss+1)GRiLJ-rXMS$oIw^@J*2($cA=% ze>OsTy^rxyZvl3d@;QPVkVMk1lnd3|0l3A*it`&vVL=Hxbmp=FHs#f$u+RZsq zXfaqx+ccP@}0Z9fFm-n`VE0VU7YbIK&$k;z4 z@n|^^R+y3S5FqrAwtm?gr(sOi*egfmKH4SS#cT9{eR_w zMmR4INDLyos3_I|!!y_UMQw{v$imx2I5gl$s*3soS?>(nc^9EdyHp@*bX0Bm8)a;< zQLI^jBbZY=K0ZzuZ>#ZF^&3B^a-EkQ$&l#`V9@~<&$+xic@x;eXdtwOFM0>lvf8#L zTyCJAXXFZ{P7E=Z`)S*^I6UF<-EshQ5JjrV5j}-s4`itGx*`D=~s)IzTq z*T$V7{uiACmnJVYA&CCGgl)a4=n542wwMUyl0dpN!a3|Xn5jR=?uODDvfA9KTZX}t z709r)mK59=NwJ8@T}1GYh}*sGEnDat11z6Yh+Gp`8~4}S-QC@X$~J#$ z1@@pN7F@ioV#kPhRFa$nrF~0;4p<%s3X8{9=37?yg0c#fV1OY6aQl4WYFYh{Fps_0 zbPp-mjE2qcyJn=C{!Q)&>Ov>LcNKw*Sv7J9`_ke754rK=@afgyv zJY+=c`7N{^dh{;kIoEHd4=Dn4W_Cs=&k_fOE$whSGJlQAmiwcoOh@aGC;(Nr^_RH# zqN2s|ejMf@jgN=C2t{S}7x!MfeaOVdn*e{lg#t!<+7HbR5d)c><9H$HJkPk_hqWK5 zOLnOi4dV^+kvE7JtufA=Gx}y<-Q7b@4x4(FIf8Fee_wCR;`v=G=H1np<2G60^GPx1 zfnE&$c$Y)(7OPw|gmd+IPUyX3L?)`-d#&1v_rh0bsP$%+p!Q7CO^2F?{F$;*MDP7I zJv__%V~Gs<-4;4KJ_CNHSN-2=dkMokGF$IhuUrHxowLTp|5d@6sFoz&=#w|?zl%u5 zO&E)u2<6~NumX~JuSJX_AKcK@3g|1nv z9<({n61$;z@*nt2CqG~(i&{A16**&CMbzIkiHdk3x4HJ5o|bsj`YVib{gx*?dD1=L zP9}x%P-iN?lzBs?wUmf?^qTr_;5FXt=}IN)Hj5#7ty0by;m^^X1g@gFl%T2AaM+$h zbvCNUZ9sLo{#-w5-~_K1fH&CxLd47+tvp9=2%Q+mg z`RR#Aa?JHZpF#6C2YxwmkhCm2>w2#=x%#=+@wPT>) z42m}LOK-4Zykm4^{yE7h$6P_F3>=1Qh{HaC46QAAGZW;@nP@{&GGxZb#)*)%r+{dn zXy>v5+MrUBs|>BR{A9duC}Z)v!oZLu$c zM<~UpI?9r`B^`)*Ol)4drAybB0}Bei6-(qnwuM6tQUcC>!mEvuq~!n>Kg{+E@R3tY zW-LSVAsuvKv~JvF>a>VTX;n@WLS3%ezH3D8$P2k`JhP8uQ-SIakgLONkj3(}hgm-Q zv7{29bVhEM&sG;hXW~)k#G|U@1UmNY*ch7dxBSbyVFwO6^tSNhPA;M zrw>UBQ1|If^K^xubCV2rmkqB153xVFCm!(0Gsm z(!NtlucT(p8-81ORF$`M%|qUX0Vew&+Dyw$<2p?2d#m+pj)co8@fPgYb=8UXJ$${* zMqPJD11jfRvv?FQkO8BlrIQv86hS&W8l&^7C;`|8XO`OsEF ziM%a(+6nzeeNTomi>M8ltbdJ0zjNRZ7iYRd=4udQ2A#(v(&XxDuIqjlod#v)ZT$hD zL4h6w&=h)(y~=K#X=xe7YP5yGxybLACk6d4trtS z8hbgHcim$Sj+c)lrt5N5y|Q?#E>Q_>0#y2@J7Almcw_xf|EW;OK?Vi}VrN?LR^&=g zBfGmb+joqNPIl(mG-qY<2_*7@Ue+@C!A=w#gOEiygRWZ5!qtcM-EHUBKm*IwCnuwx z%NdYBYfVk^juVnmVppHnX7d(bg+uScngf#Yq(v2nUkV9dqdrsO4_!GdW0SNyu5sNovx;%{JJEly2@8 zwQGg!kV&kr3-W7t949(SDoqkKpTa5{cXcZnOLan*^frAEYSYh~ zW6^CKAPzDl7!mCou=n5Kh5;T^Hl-^GV(lqyo42Xvu5FuVv2rw&(Y|Zehazadhn-o+ z7XwgNS6BMomlVxq&N?a|^m?zp-s0y-L+9g+p_*VJIuA^U!=nz_Rl{<$7M1pK|N@R5dX}?VW7I zhX+`ojL4h@ipzSUN5~6y69)^H2klNYq%zgE#vkrek2=PI54M`ItKvqck1z|r%&96X zJ_+bHb0l`2tHsv^-0Fz`H|V4v;x={ApPI~Ii?i7UD^d)yVSZ96qs zjMoKS#25q5W%pMzyQff`K-X+yA3zGzU|N8vmI7|~YRcSiXl;g^7_T6dyHpEZ+U8;` zd)cJEt!D-ZJA+20*<%12h~9%l*!ud0K|lQx2qJ)JJ)m6~GoRoSt)FkjS-NcC0u%2e zD?hUlTPL7@0teqNfSO6M<%(CVkZVpKjJy4YGzOrDO+U?$VZBpz;Pnc*kot9L z6tw15gm3~jw!7*v@Z<@=!V(te6YLmVJnZfc1+qzlJ7q?uw(n_QJrLR?T$O;zFp zHY;QgFv35944A;=U(H@84KMT58Sd9fyOh|*CM(TBEac(V@~yVIdJhsKQ*(hvdjSz380lrg&8|4apV5gTKim^e&6#We-zhh|l`ssm=qNofSXO(!DS4ybHqox5=eQ>T6k4IQo1@YR5 zB%Oremo<|Ncka7pb_i+nHG4#G655qJx84|htD>3HA%)NGn!=3a%LL|CqwR8&0QU>1ER^` z0i)n}kjC0v?Sq|2Qf2YLN)082MFD(wDC*%dXy-VwhID5(OGHK6Jr8T&Tc>wOMPqm! zD_nU1WJvwKOHAFk5cS1@A*~%iJGnQxLSAzD_Jf9keawO`GI_tEK(B&;-g1V9x}gCC zndBwSUo*IT7xY+S35L*?UnDq!jR0Q!4Ag+J4xlw^L!k@*ZEkj8eZ5&L67`>oxzz1xBgt!%8%aeF|E{G!1z%xVUT)yG`uX@W3VvDGEb7xKV> zf6m}a-gE#<`n?0X(ijESFo>0LJp~xi?}pI6Qwm^^c^WFtFgQQS{CEU_o8V4zgSMN` z%*c8}>sXSXJig3_J`(5>xje9NS-+@V^+{kfbHGz2YvXzPH^3>U6XhlggV^v)%u7H4 z8`15bY&=?7TiaoE7JJsK$z0okPuY0Fv&p_3^ksutDH{ocLp%wQWY49I$)vsCRq@mL z(eFsm5I{+ncXf2LFG(_e&3V_AU_&hG>$>z|Y=B?6OAW5)d-leK{waKg6R4S^nOup! zej_&zaEb9{^CKH?NDa$g-TOcuez&Y(aOkkqRJ5;0v+u{OBp*^qd!J{8X^x?TnHNE3Q2wD&M!EkRwD>rqtdxQ_C9dS z?#%uW|C_c^Q}g!L7M#%64_#d!@}kQV&i6p&hCeZ|h$eN3fk7j`qlK%{zXOTzr}~n@ zUzr>_e6;mN5$16zIsxnYqS1sXPFP9m`Y_NrN?ay?KQfjiiEFe>m$f*z$XgD$$*0CP zGE~vc{n4P=fH~oKp3r#bYZayGBW-K1Ro^Z56Y%j;N(I+EZ_Lb^d-8JAJ$WKpBi5oa z)AvOu^no`7uD_OoYZ~K{zuQTyJ(K17vJf6Xgvaui1-GG=G@DnZc>@PGxGzr_0J9cBHj^V9{u{jY0F~}*38Rh_0xcON#b-a!~XElH(g5F z*2r{dX4VoCQQNS>_|(z852R>{U5~|y*pf?co(@K6vL+_4ef=<-7gqt(QX&k+#O3Ny zMEKaUJEu^#04@TwX3q_rLBZ|B{IAGI`9FlM|7bh@DfZ=n4pQ5ZA!4k#DL6S9 zefMG5+qO8wqB4xd%xoO!-ZvN#~6DHsBQ-jZQd{rY2} zDKakxnt!WmyeeEVd9o85NGnZS@#*nC?d~nMTR0EOMy$kC7A(hT#64Rd!(C99EZeO| z1!!~Ey*#Lh6O#oUkaV-GnDwXxhx$wcV1!7r?Gf!ye{I_nq4&JTrcGTgCR**#wdR@d z>GIZO4!nc8O~B#hiMM}QP@`<3EWs=PRwC$zI{e%>Awxw`}ZQ`|0U3UHUxqCL)pe*pweGqSKvm%A>ZI8rA7ll z{z6#$(A?|IlYfWTCko#SM;K3=uh%>hthHJP(*M73V^R8FY|BEE?Man%Y`B@b|D6qh z=a&FlRZn~2&SW60lI_Oyl-AGgX!VCJkv%sI+ApCObbj^UMZOpBHJjRBU6MFHP{oSa z&%q6Br065|Ai{b|wYA`KWFBPqlGo<`fD%PEFluIVH5(ySlC}A$(Mbx_7`=gDjB;L4 z)&&eKvvRa%wl09NLfT`0hG`tKQx5-j4fET~@sdJSzv z6|?k8ba4E+X*yE3QEoac1Pg0dQcSUb*M9+;awRPHtz0a{4^TBCrTPZ$xwMpgGPpIs z*{(*HdLK`u8bMngWqzGO@l=7vwkEm-G{FzORJ&;WD?ta1yxt2wqTqy{EG_;iiwZVEMcfF-%MfYTYe?yDhh>S(BS_kkQuFBhDG)Oyno-5W!pzAtMA zEEs~|`fl_M3qiVmvO$sX+qQ%9HwHi8P7f_qEd+@jxoh+CgkDzzLQ7U-dJ>$i1VL6L zGL8yyFU^XYChodj?p>D`+>an_jiEvm0kl=dOg7N~uQE1iEy?UkG_~`ba4T*>l?(|1BXe>fVlU=LX3<7rCZ#rmy@#BjYpWblMGHy;4 zr(4}QaO$Xh-fs0LmJ(~8La5KGm%w?=<1|ncPI-p!vpIKU+~E0v#yK66j5NcHx*rE$ z?cuz@N4Vb$yJ(BVsx22-NrID zdd5aj%2`%vmTvV)d{&)0j7R-Yy;7-1Ou@q=;CV5rT)%{dJLP>kE1^ptw!V1-9njlX z8sALZosebb^%~E~x*ooy4y9={^g}fk`g-&m(g9q*2YwA%)@(0x`CFmKMns1TLQe(Q z*#Bky!aqNIA)uuA2&K3Y>B{7OtP5MMrnUIq_*_k+&1>G)YJu0=rAO;@;h>&n(qmEH zCavOUb3cs_6iD25QBtCC_wPMzYfBnZ-q9`NyKF|!Of1^>Jf)L$a2#Jbr0j&&&aK-0 z)}=z!Mrv?JYu8RGtoFwhC9rPiR9Oi7TeqhL)ITxi8s;|q?~aoF68Z5CgI<{pIFZ=W z&LCF{ZcVWKGb8ni`a`p_Li~YGh{}lLnm+Jka^#3npXGG%PXBI-3!#NrzO)@G=;z&D};d(#sKdX7Q ztgptGE)u$v+u+obfd7s)hgae$&8VrLZ(f32l=?oCCzMHeU}g_~Um{;_AF$yGbiVZ@crpq*Pwg5iQLa2Ze^V`ofR73)2i9Gt9 zzJBU-t}oPLa~G7uI~op1jfjNbxF#;L@4eylA&_No_EWky`}*L*z6TUd)1@Bt$|rb# zwxFEuokDp_~){@}hDl)rNXOz?EC>xiCGveBQgM*fi2wLpP zUb9)r4yR%cpG84m0*~+^xdWL54;hD8g-ozw5o=DfKdE3EmdVG0^Wif|@$hTd9i`k( z@Z_1ON^bwqCBL!a$3FO!m9NcV2y8_`Q5OEK#SW1lC{6=C???S&H;LaDv*yYR1mb}8 zID=Z%Bqgb78Q83V5`T&zl=_>y_jL{&-!ffegFiZsmc&is>^V*RY-*M6Ge+Xzr4I%q zKF3)9cf7!W$bWXV!Eqcq;}`R?CaMeo^xdUZD}F^XlC%fC0p7oI;D}aM-o%&m)Qni^ zp|5jeTal8M6vFjE{lJ(9OQ1&r7)9Ui>6SS%LSs3E$t>DOU!%pMA)FWo2WXi64zHk+ z{6ALIe>@NV<2YuluTkl>-56KaXOx5cRuI1*QGR6Fzcxuo)V~jU2Ih0YsXYDxt$S>z zWX%KBX3Q_S3YR0l7V@}_X}8=iaW{wi+a&gQ&AfZHYo-F)?LT~R0@{f>e3{V+*f3a3 zI@j;I@DSiRCU1M5Ig7vsX!o^MS^5!%ZWTPBa*#b7)a4kvO0Ke9+GR8&_aUYxqt<(a zk)uBcS-K?g4}Q{&nS%3SX;i1;pewcU^3f+p?xbB?A$vbNBkE6`&uW8K==avRCg&Ve z>>d=&d`-m&zTY8SI`xN;f$avi7C5zqgR?ZHsIB#RIXMOQ+Mkv}tj66FN-7phyN|CO zU0nNMem&B5LSd0|{G0(aHFKQ7MD;#Vb%%5%1-u0PrG1|{ArUlUYy*&Ty1n@a85EY^ zT@~rCz=>}B0FGh-@qc>L#f}$gxK%YXRtx9mXdk{w-I=2Kq@C*`%-oF5@*H+P?tXgSla2e!IrP=Bsj-QMx;|=p$UOLJhO%Ewg2lL6TadWSgIBh@2~YZ6UA@^B zYFqJp1yD2YoVM^0&N>XI1|FY5?OEj0T>qKN#;(GOHvP>v*InWi*iACEi|6roD?r9 z;sS9p+CpYOX8;<--kZ`?#yGr4i?iV%-3$GO%is~6kY`bxc{JCh<l-aouNa}q+EeoO6@P4$u z?bLp-vO8Wu`T>{58le&@VfLdHKH{YAhe4Nu9v`b@Os7J16zW|dt^l(sqkhUOlh+3l{-<8Q4QPo`vDQ5p#Ptyf+g++4{qC)4T5 z%4PZk7#19eCU^N&h{^U?`PYAa<^89%Y<=5(klo+^T(hX1A^e!AxnN|juQ{Y5zQ2TN zCjj>|p+4^}9p?{(Bg{>AtGSUY%@_Lky8LbCjkIMq0LFj9^8ba{_$TS*Uj`8(LYRN@ zNWhF;prQU{6aG^onv~))!OXp(J$vI&jyXS3T|&3Z zh3J#Dv{6OPsFx&u`C}&~xeb@1Uv#F+IU@1$4^+t~?238+>2u?KlV+=30BE`sqW+9; zLmf1fxr<1ObW|tA;_rPiF2_RPXabcwpf7L330Bgx4kRi@fWV!6AfM!v-8zm{8G2I3ADdydYn&g+FalB@9YcEflV0%rmi6x1h zX5*VZkS-;kmVE`m_vc=uMXUJ+xrYF`EF|!Rh|P%;Y-+(ulI2ivu2)0!BdHb}7vGy1 zX$Zq{e)Hb?BNNXV@)_@M;e1d6B2y{(DRyYFuL*w!0lF{_!sfcUX5KOFlVWt@+~W>* zI=fCqC${Qt(=~T=ak0T9VwX;GI-Ns^oSNpHGrQ6tT`mSg;XnCdaIqYGr7m}iGW_5Y z*uiysJpZ~bgKXJs}OVJV$2(T|jIg+4BPE@cZk>+oI^fro;bU)f_5X>G({R<@&; zWc^b^$}`Gwif&OySe&zBj{$4S1d3~R_R@}@YAN=?mky=P>NMT(yA^79usc4q+5Nm1 zZ0oH6ns0zs57oP4xgs3*22unc;h{8Cl6(S0q#wd*4n=7?s2alevZjAL_G-gKM$ob( zoGb44+sjq&cXwo&NeXfoliwn+`<0UioVRvLlI400a-Qve-(gPa^(4JKAZmz$rYb8J z?Jq(idcLt+BW`;i8VnyiAw0#Wc#rCDo zsAV~Q@`s^cS~%T)nri|i09cMLC@MQ_K-Dp?GQd^-((id{sBd_Q%xyLCjxPCzk!X>w zv@3wJi$cwV@v!lgyQ@}pGpGvAs~m9`e ztPXc+*jEuu#J?mltsQ9`nDi9dh#XOBqT^C@ladUk(!uAJ5Jd&cW(HBkkIsFJS=j zzg1MrcsS5#_CtAbnIwOE?HxeUPMqQB*=xpTEpG=YKyV$DSC*?#n#4$?Id|eLz(+3S zy(-?cNQzzV8MGbV1OT-ezZUe@vZ%5Voj0>9rX)0Zs{}rC_GnrOb1LF6Z|b?wRl|Ue zp{hGhDt~}2Y*yvKeYc7AC1wKdv+8{ZWY+~8KyGSDGo@tX&xQ^>-Uf^kZwlhV|K^hN z2gfa(m1=~I{v=+i-t$jfN Date: Wed, 10 Jul 2019 16:59:05 -0700 Subject: [PATCH 2/8] Added content --- .../mdm/applicationcontrol-csp-ddf.md | 886 +++--------------- .../mdm/applicationcontrol-csp.md | 217 +++-- ...ew-in-windows-mdm-enrollment-management.md | 5 + 3 files changed, 258 insertions(+), 850 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 85e0516dfd..fa0bee9334 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -1,22 +1,22 @@ --- -title: EnrollmentStatusTracking CSP -description: EnrollmentStatusTracking CSP +title: ApplicationControl CSP +description: ApplicationControl CSP ms.author: dansimp@microsoft.com ms.topic: article ms.prod: w10 ms.technology: windows author: ManikaDhiman -ms.date: 05/17/2019 +ms.date: 07/10/2019 --- -# EnrollmentStatusTracking DDF +# ApplicationControl CSP DDF -This topic shows the OMA DM device description framework (DDF) for the **EnrollmentStatusTracking** configuration service provider. DDF files are used only with OMA DM provisioning XML. +This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -### EnrollmentStatusTracking CSP +### ApplicationControl CSP ```xml @@ -26,13 +26,13 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic 1.2 - EnrollmentStatusTracking - ./User/Vendor/MSFT + ApplicationControl + ./Vendor/MSFT - These settings are used to communicate what policies the Enrollment Status Page (ESP) should block on. Using these settings, policy providers register themselves and the set of policies that need to be tracked. The ESP will include the counts of these policy sets in the status message to the user, and blocks progress on that page until all policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which will then be reflected in the ESP status message. + Root Node of the ApplicationControl CSP @@ -43,16 +43,16 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - com.microsoft/1.0/MDM/EnrollmentStatusTracking + - Setup + Policies - These settings are read by the Enrollment Status Page (ESP) during the Account Setup phase. Policy providers use these nodes to communicate progress state back to the ESP, which is then displayed to the user through progress message updates. + Beginning of a Subtree that contains all policies. @@ -62,373 +62,34 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - - - + Policies - Apps + - Policy providers use these settings to communicate to the ESP which app installations it should block on and provide progress in the status message to the user. + The GUID of the Policy - + - + - - - + Policy GUID - PolicyProviders - - - - - These settings are read by the Enrollment Status Page (ESP) during the Device Setup phase. Policy providers use these nodes to communicate progress state back to the ESP, which is then displayed to the user through progress message updates. - - - - - - - - - - - - - - - - - - - - - - - - - - This node represents an app policy provider for the Enrollment Status Page (ESP). Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true. - - - - - - - - - - - - - ProviderName - - - - - - TrackingPoliciesCreated - - - - - - - - Indicates when the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server. - - - - - - - - - - - - - - text/plain - - - - - - - Tracking - - - - - This node represents an app policy provider for the Enrollment Status Page (ESP). Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true. - - - - - - - - - - - - - - - - - - - - - - - - - - The name of the provider responsible for installing these apps and providing status back to the Enrollment Status Page. - - - - - - - - - - - - - ProviderName - - - - - - - - - - - - - - A unique name for the app whose progress should be tracked in the ESP. The app name can be arbitrary as it is not used directly by the ESP, so the value can be defined however the policy provider chooses. - - - - - - - - - - - - - AppName - - - - - - TrackingUri - - - - - - - - An optional URI to another CSP for tracking the apps installation. If this value is not set, installation status is derived from the InstallationState node. - - - - - - - - - - - - - - text/plain - - - - - InstallationState - - - - - - - - The installation state for the app. This node should be updated by the policy providers (not the MDM server) so the ESP can track the installation progress and update the status message. Expected values: 1 = NotInstalled, 2 = InProgress, 3 = Completed, 4 = Error - - - - - - - - - - - - - - text/plain - - - - - RebootRequired - - - - - - - - An optional node indicating if the app installation requires the ESP to issue a reboot. This node should be set by the policy provider installing the app (not the MDM server). Expected values: 1 = NotRequired, 2 = SoftReboot, 3 = HardReboot. If this node is not set, the ESP will not reboot the device for this app install. - - - - - - - - - - - - - - text/plain - - - - - - - - - HasProvisioningCompleted - - - - - false - This node is set by the Enrollment Status Page (ESP) when it completes. Providers are able to query this node to determine if the ESP is showing, allowing them to bifurcate their logic accordingly. For instance, when an app install requires a reboot, the policy provider should let the ESP issue the reboot by setting RebootRequired value for that app if and only if the ESP is running, otherwise, the policy provider is responsible for issuing a reboot themselves. - - - - - - - - - - - - - - text/plain - - - - - - - EnrollmentStatusTracking - ./Device/Vendor/MSFT - - - - - These settings are used to communicate what policies the Enrollment Status Page (ESP) should block on. Using these settings, policy providers register themselves and the set of policies that need to be tracked. The ESP will include the counts of these policy sets in the status message to the user, and blocks progress on that page until all policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which will then be reflected in the ESP status message. - - - - - - - - - - - com.microsoft/1.0/MDM/EnrollmentStatusTracking - - - - DevicePreparation - - - - - These settings are read by the Enrollment Status Page (ESP) during the Device Preparation phase. These setting are used to orchestrate any setup activities prior to provisioning the device in the Device Setup phase of the ESP. - - - - - - - - - - - - - - - - - - PolicyProviders - - - - - These nodes indicate to the Enrollment Status Page (ESP) that it should wait in the Device Preparation phase until all PolicyProviders are installed or marked as not required. - - - - - - - - - - - - - - - - - - + Policy @@ -436,210 +97,29 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - This node represents a policy provider for the Enrollment Status Page (ESP). The node should be given a unique name for the policy provider. Registration of a policy provider indicates to the Enrollment Status Page that it should block in the Device Preparation phase until the provider sets its InstallationState node to 1 (not required) or 2 (complete). Once all registered policy providers have been marked as completed (or not required), the Enrollment Status Page will progress to the Device Setup phase. + The policy binary encoded as base64 - + - + - ProviderName + Policy - - InstallationState - - - - - - - - This node communicates the policy provider installation state back to the Enrollment Status Page. Expected values: 1 = NotInstalled, 2 = NotRequired, 3= Completed, 4 = Error. - - - - - - - - - - - - - - text/plain - - - - - LastError - - - - - - - - If a policy provider fails to install, it can optionally set an HRESULT error code that the Enrollment Status Page can display in an error message to the user. This node will only be read by the Enrollment Status Page when the provider's InstallationState node is set to 3 (Error). This node is only intended to be set by the policy provider itself, not the MDM server. - - - - - - - - - - - text/plain - - - - - Timeout - - - - - - - - An optional timeout (in minutes) for provider installation to complete before the Enrollment Status Page shows an error. Provider installation is considered complete when the InstallationState node is set to 2 (NotRequired) or 3 (Complete). If no timeout value is supplied the ESP will choose a default timeout value of 15 minutes. - - - - - - - - - - - - - - text/plain - - - - - TrackedResourceTypes - - - - - - - - This node's children registers which resource types the policy provider supports for provisioning. Only registered providers for a particular resource type will have their policies incorporated with Enrollment Status Page tracking message. - - - - - - - - - - - - - - - - - - Apps - - - - - - - - false - This node registers the policy provider for App provisioning. - - - - - - - - - - - - - - text/plain - - - - - - - - Setup - - - - - These settings are read by the Enrollment Status Page (ESP) during the Device Setup phase. Policy providers use these nodes to communicate progress state back to the ESP, which is then displayed to the user through progress message updates. - - - - - - - - - - - - - - - - - - Apps - - - - - These settings are used to communicate what policies the Enrollment Status Page (ESP) should block on. Using these settings, policy providers register themselves and the set of policies that need to be tracked. The ESP will include the counts of these policy sets in the status message to the user, and blocks progress on that page until all policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which will then be reflected in the ESP status message. - - - - - - - - - - - - - - - - - PolicyProviders + PolicyInfo - App policy providers for this CSP. These are the policy providers the ESP should wait on before showing the tracking message with status to the user. + Information Describing the Policy indicated by the GUID @@ -647,260 +127,148 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - + - - - + PolicyInfo - + Version - - - - This node represents an app policy provider for the Enrollment Status Page (ESP). Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true. + Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type - + - + - - - - ProviderName + Version - + text/plain - - TrackingPoliciesCreated - - - - - - - - Indicates when the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server. - - - - - - - - - - - - - - text/plain - - - - - - Tracking - - - - - These are the set of apps that are being tracked by the Enrollment Status Page. - - - - - - - - - - - - - - - - - + IsEffective - - - - The name of the provider responsible for installing these apps and providing status back to the Enrollment Status Page. + Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect) - + - + - - - - ProviderName + IsEffective - + text/plain + + + + + IsDeployed + + + + + Whether the Policy indicated by the GUID is deployed on the system (on the physical machine) + + + + + + + + + + IsDeployed + + text/plain + + + + + IsAuthorized + + + + + Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system + + + + + + + + + + IsAuthorized + + text/plain + + + + + Status + + + + + The Current Status of the Policy Indicated by the Policy GUID + + + + + + + + + + Status + + text/plain + + + + + FriendlyName + + + + + The FriendlyName of the Policy Indicated by the Policy GUID + + + + + + + + + + FriendlyName + + text/plain - - - - - - - - - - A unique name for the app whose progress should be tracked in the ESP. The app name can be arbitrary as it is not used directly by the ESP, so the value can be defined however the policy provider chooses. - - - - - - - - - - - - - AppName - - - - - - TrackingUri - - - - - - - - An optional URI to another CSP for tracking the apps installation. If this value is not set, installation status is derived from the InstallationState node. - - - - - - - - - - - - - - text/plain - - - - - InstallationState - - - - - - - - The installation state for the app. This node should be updated by the policy providers (not the MDM server) so the ESP can track the installation progress and update the status message. Expected values: 1 = NotInstalled, 2 = InProgress, 3 = Completed, 4 = Error - - - - - - - - - - - - - - text/plain - - - - - RebootRequired - - - - - - - - An optional node indicating if the app installation requires the ESP to issue a reboot. This node should be set by the policy provider installing the app (not the MDM server). Expected values: 1 = NotRequired, 2 = SoftReboot, 3 = HardReboot. If this node is not set, the ESP will not reboot the device for this app install. - - - - - - - - - - - - - - text/plain - - - - - - HasProvisioningCompleted - - - - - false - This node is set by the Enrollment Status Page (ESP) when it completes. Providers are able to query this node to determine if the ESP is showing, allowing them to bifurcate their logic accordingly. For instance, when an app install requires a reboot, the policy provider should let the ESP issue the reboot by setting RebootRequired value for that app if and only if the ESP is running, otherwise, the policy provider is responsible for issuing a reboot themselves. - - - - - - - - - - - - - - text/plain - - - - ``` \ No newline at end of file diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index d352156f6c..789a0fdafd 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -50,14 +50,14 @@ This subtree has nodes containing information which describes the policy indicat Scope is dynamic. Supported operation is Get. -**EApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version** +**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version** This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type. Scope is dynamic. Supported operation is Get. Value type is char. -**EApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** +**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system. Scope is dynamic. Supported operation is Get. @@ -67,7 +67,7 @@ Value type is bool. Supported values are as follows: - False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default. -**EApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** +**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** This node specifies whether a policy is on the system and is present on the physical machine. Scope is dynamic. Supported operation is Get. @@ -77,7 +77,7 @@ Value type is bool. Supported values are as follows: - False — Indicates that the policy is not on the system and is not present on the physical machine. This is the default. -**EApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** +**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system. Scope is dynamic. Supported operation is Get. @@ -87,105 +87,140 @@ Value type is bool. Supported values are as follows: - False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. -The following table provides the policy output based on different combinations of PolicyInfo nodes values: +The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: +|IsAuthorized|IsDeployed|IsEffective|Resultant| +|------------|----------|-----------|---------| +|True|True|True|Policy is currently running and in effect.| +|True|True|False|Policy requires a reboot to take effect.| +|True|False|True|Policy requires a reboot to unload from CI.| +|False|True|True|Not Reachable.| +|True|False|False|*Not Reachable.| +|False|True|False|*Not Reachable.| +|False|False|True|Not Reachable.| +|False|False|False|*Not Reachable.| +```*``` denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail. -**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes** -Required. This node is supported only in device context. -This node's children register which resource types the policy provider supports for provisioning. Only registered providers for a particular resource type will have their policies incorporated with ESP tracking message. +**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status** +This node specifies whether the deployment of the policy indicated by the GUID was successful. -Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. +Scope is dynamic. Supported operation is Get. -**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes/Apps** -Required. This node is supported only in device context. -This node specifies if the policy provider is registered for app provisioning. +Value type is integer. Default value is 0 == OK. -Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. +**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName** +This node provides the friendly name of the policy indicated by the policy GUID. -Value type is boolean. Expected values are as follows: -- false — Indicates that the policy provider is not registered for app provisioning. This is the default. -- true — Indicates that the policy provider is registered for app provisioning. +Scope is dynamic. Supported operation is Get. -**EnrollmentStatusTracking/Setup** -Required. This node is supported in both user context and device context. -Provides the settings that ESP reads during the account setup phase in the user context and device setup phase in the device context. Policy providers use this node to communicate progress status back to the ESP, which is then displayed to the user through progress messages. +Value type is char. -Scope is permanent. Supported operation is Get. +## ApplicationControl CSP usage guidance -**EnrollmentStatusTracking/Setup/Apps** -Required. This node is supported in both user context and device context. -Provides the settings to communicate to the ESP which app installations it should block on and provide progress in the status message to the user. +To use this CSP: +- Know a generated policy’s GUID, which can be found in the policy xml as ``````. +- Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. +- Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. -Scope is permanent. Supported operation is Get. + Sample certutil invocation: + ``` + certutil -encode WinSiPolicy.p7b WinSiPolicy.cer + ``` + Alternatively, you can use the following PowerShell invocation: + ``` + [Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) + ``` + If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you use Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy. -**EnrollmentStatusTracking/Setup/Apps/PolicyProviders** -Required. This node is supported in both user context and device context. -Specifies the app policy providers for this CSP. These are the policy providers the ESP should wait on before showing the tracking message with the status to the user. +- Deploy the policy: + - To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 snippet). -Scope is permanent. Supported operation is Get. + - To deploy base policy and supplemental policies: + - Perform an ADD as described above first with the GUID and policy data for the base policy + - Repeat for each base or supplemental policy in turn (with its own GUID and data) -**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName*** -Optional. This node is supported in both user context and device context. -Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it should not show the tracking status message until the TrackingPoliciesCreated node has been set to true. + The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). -Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. + **Example 1: Add first base policy** + ``` + + 1 + + + ./Vendor/MSFT/ApplicationControl/Policies/{Base1GUID}/Policy + + + b64 + + {Base1Data} + + + ``` + **Example 2: Add second base policy** + ``` + + 1 + + + ./Vendor/MSFT/ApplicationControl/Policies/{Base2GUID}/Policy + + + b64 + + {Base2Data} + + + ``` + **Example 3: Add supplemental policy** + ``` + + 1 + + + ./Vendor/MSFT/ApplicationControl/Policies/{Supplemental1GUID}/Policy + + + b64 + + {Supplemental1Data} + + + ``` +- Perform a GET operation using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it. + - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy (raw p7b) + - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Version (policy version) + - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsEffective (is the policy in effect) + - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsDeployed (is the policy on the system) + - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsAuthorized (is the policy authorized on the system) + - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Status (was the deployment successful) + - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/FriendlyName (the friendly name per the policy) -**EnrollmentStatusTracking/Setup/Apps/PolicyProviders/*ProviderName*/TrackingPoliciesCreated** -Required. This node is supported in both user context and device context. -Indicates if the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server. + **Sample Get command** + ``` + + 1 + + + ./Vendor/MSFT/ApplicationControl/Policies/{PolicyGUID}/Policy + + + + ``` +- Delete the policy. + To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy**. -Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. - -Value type is boolean. The expected values are as follows: -- true — Indicates that the provider has created the required policies. -- false — Indicates that the provider has not created the required policies. This is the default. - -**EnrollmentStatusTracking/Setup/Apps/Tracking** -Required. This node is supported in both user context and device context. -Root node for the app installations being tracked by the ESP. - -Scope is permanent. Supported operation is Get. - -**EnrollmentStatusTracking/Setup/Apps/Tracking/_ProviderName_** -Optional. This node is supported in both user context and device context. -Indicates the provider name responsible for installing the apps and providing status back to ESP. - -Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. - -**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_** -Optional. This node is supported in both user context and device context. -Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP does not use the app name directly. - -Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. - -**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/InstallationState** -Optional. This node is supported in both user context and device context. -Represents the installation state for the app. The policy providers (not the MDM server) must update this node for the ESP to track the installation progress and update the status message. - -Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. - -Value type is integer. Expected values are as follows: -- 1 — NotInstalled -- 2 — InProgress -- 3 — Completed -- 4 — Error - -**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired** -Optional. This node is supported in both user context and device context. -Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers do not set this node, the ESP will not reboot the device for the app installation. - -Scope is dynamic. Supported operations are Get, Add, Delete, and Replace. - -Value type is integer. Expected values are as follows: -- 1 — NotRequired -- 2 — SoftReboot -- 3 — HardReboot - -**EnrollmentStatusTracking/Setup/HasProvisioningCompleted** -Required. This node is supported in both user context and device context. -ESP sets this node when it completes. Providers can query this node to determine if the ESP is showing, which allows them to determine if they still need to provide status updates for the ESP through this CSP. - -Scope is permanent. Supported operation is Get. - -Value type is boolean. Expected values are as follows: -- true — Indicates that ESP has completed. This is the default. -- false — Indicates that ESP is displayed, and provisioning is still going. \ No newline at end of file + > [!Note] + > Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** is not sufficient to delete a signed policy. + + To delete a signed policy, first replace it with a signed update allowing unsigned policy, then deploy another update with unsigned policy, then perform delete. + + **Delete a policy** + ``` + + 1 + + + ./Vendor/MSFT/ApplicationControl/Policies/{PolicyGUID}/Policy + + + + ``` \ No newline at end of file diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 3ca4486f3b..754e6e0023 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -140,6 +140,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s EnrollmentStatusTracking CSP

Added new CSP in Windows 10, version 1903.

+ +ApplicationStatus CSP +

Added new CSP in Windows 10, version 1903.

+ @@ -1885,6 +1889,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o |New or updated topic | Description| |--- | ---| +|[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.| |Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
Create a custom configuration service provider
Design a custom configuration service provider
IConfigServiceProvider2
IConfigServiceProvider2::ConfigManagerNotification
IConfigServiceProvider2::GetNode
ICSPNode
ICSPNode::Add
ICSPNode::Clear
ICSPNode::Copy
ICSPNode::DeleteChild
ICSPNode::DeleteProperty
ICSPNode::Execute
ICSPNode::GetChildNodeNames
ICSPNode::GetProperty
ICSPNode::GetPropertyIdentifiers
ICSPNode::GetValue
ICSPNode::Move
ICSPNode::SetProperty
ICSPNode::SetValue
ICSPNodeTransactioning
ICSPValidate
Samples for writing a custom configuration service provider| From ebb304f60acb806637d4edeb3715c865d4a9a193 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 12 Jul 2019 13:17:04 -0700 Subject: [PATCH 3/8] Added more content --- .../mdm/applicationcontrol-csp.md | 178 +++++++++--------- ...ew-in-windows-mdm-enrollment-management.md | 2 +- 2 files changed, 92 insertions(+), 88 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 789a0fdafd..d7460e498b 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -11,8 +11,8 @@ ms.date: 05/21/2019 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the AppLocker CSP, the ApplicationControl CSP correctly detects the presence of the no-reboot option and consequently does not schedule a reboot. -Existing WDAC policies which were deployed using the AppLocker CSP’s CodeIntegrity node can be deployed via the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will occur in the ApplicationControl CSP only. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike AppLocker CSP, the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Existing WDAC policies which were deployed using the AppLocker CSP’s CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will occur in the ApplicationControl CSP only. The ApplicationControl CSP was added in Windows 10, version 1903. @@ -26,7 +26,7 @@ Defines the root node for the ApplicationControl CSP. Scope is permanent. Supported operation is Get. **ApplicationControl/Policies** -This subtree contains all the policies, which are each identified by their GUID. +This node contains all the policies, each identified by their GUID. Scope is permanent. Supported operation is Get. @@ -44,9 +44,8 @@ Value type is b64. Supported value is any well-formed WDAC policy, i.e. the base Default value is empty. - **ApplicationControl/Policies/_Policy GUID_/PolicyInfo** -This subtree has nodes containing information which describes the policy indicated by the GUID. +This node is the subtree for nodes that describe the policy indicated by the GUID. Scope is dynamic. Supported operation is Get. @@ -65,17 +64,15 @@ Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: - True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system. - False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default. - **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** -This node specifies whether a policy is on the system and is present on the physical machine. +This node specifies whether a policy is deployed on the system and is present on the physical machine. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is on the system and is present on the physical machine. -- False — Indicates that the policy is not on the system and is not present on the physical machine. This is the default. - +- True — Indicates that the policy is deployed on the system and is present on the physical machine. +- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system. @@ -85,7 +82,6 @@ Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: - True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. - False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. - The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: |IsAuthorized|IsDeployed|IsEffective|Resultant| @@ -116,8 +112,8 @@ Value type is char. ## ApplicationControl CSP usage guidance -To use this CSP: -- Know a generated policy’s GUID, which can be found in the policy xml as ``````. +Here are the usage guidance for ApplicationControl CSP: +- Know a generated policy’s GUID, which can be found in the policy xml as ``. - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. - Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. @@ -129,92 +125,100 @@ To use this CSP: ``` [Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) ``` - If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you use Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy. +> [!NOTE] +> If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you use Base64 as the data type when using Custom OMA-URI functionality to apply the Code Integrity policy. -- Deploy the policy: - - To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 snippet). +## Deploy policies using ApplicationControl CSP +To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. - - To deploy base policy and supplemental policies: - - Perform an ADD as described above first with the GUID and policy data for the base policy - - Repeat for each base or supplemental policy in turn (with its own GUID and data) +To deploy base policy and supplemental policies: +- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy +- Repeat for each base or supplemental policy (with its own GUID and data) - The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). - **Example 1: Add first base policy** - ``` - - 1 - - - ./Vendor/MSFT/ApplicationControl/Policies/{Base1GUID}/Policy - - - b64 - - {Base1Data} - - - ``` - **Example 2: Add second base policy** - ``` - - 1 - - - ./Vendor/MSFT/ApplicationControl/Policies/{Base2GUID}/Policy - - - b64 - +**Example 1: Add first base policy** +``` + + 1 + + + ./Vendor/MSFT/ApplicationControl/Policies/{Base1GUID}/Policy + + + b64 + + {Base1Data} + + +``` +**Example 2: Add second base policy** +``` + + 1 + + + ./Vendor/MSFT/ApplicationControl/Policies/{Base2GUID}/Policy + + + b64 + {Base2Data} - - - ``` - **Example 3: Add supplemental policy** - ``` - - 1 + + +``` +**Example 3: Add supplemental policy** +``` + + 1 + + + ./Vendor/MSFT/ApplicationControl/Policies/{Supplemental1GUID}/Policy + + + b64 + + {Supplemental1Data} + + +``` +## Get policy + +Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it. +The following table displays the result of Get operation on different nodes: + +|Nodes|Get Operation Results| +|-------------|------| +|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy|raw p7b| +|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Version|policy version| +|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsEffective|is the policy in effect| +|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsDeployed|is the policy on the system| +|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsAuthorized|is the policy authorized on the system| +|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Status|was the deployment successful| +|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/FriendlyName|the friendly name per the policy| + +**Sample Get command** +``` + + 1 - ./Vendor/MSFT/ApplicationControl/Policies/{Supplemental1GUID}/Policy + ./Vendor/MSFT/ApplicationControl/Policies/{PolicyGUID}/Policy - - b64 - - {Supplemental1Data} - - ``` -- Perform a GET operation using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it. - - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy (raw p7b) - - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Version (policy version) - - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsEffective (is the policy in effect) - - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsDeployed (is the policy on the system) - - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsAuthorized (is the policy authorized on the system) - - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Status (was the deployment successful) - - ./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/FriendlyName (the friendly name per the policy) + +``` - **Sample Get command** - ``` - - 1 - - - ./Vendor/MSFT/ApplicationControl/Policies/{PolicyGUID}/Policy - - - - ``` -- Delete the policy. - To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy**. +## Delete the policy +To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy**. - > [!Note] - > Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** is not sufficient to delete a signed policy. +> [!Note] +> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** is not sufficient to delete a signed policy. - To delete a signed policy, first replace it with a signed update allowing unsigned policy, then deploy another update with unsigned policy, then perform delete. +To delete a signed policy, first replace it with a signed update allowing unsigned policy, then deploy another update with unsigned policy, then perform delete. - **Delete a policy** - ``` +**Delete a policy** +``` 1 @@ -223,4 +227,4 @@ To use this CSP: - ``` \ No newline at end of file +``` \ No newline at end of file diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 754e6e0023..73f2ac1d13 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -141,7 +141,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s

Added new CSP in Windows 10, version 1903.

-ApplicationStatus CSP +ApplicationControl CSP

Added new CSP in Windows 10, version 1903.

From 2655a6b0fb74dc258639895131b8c8756887669b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 12 Jul 2019 14:34:32 -0700 Subject: [PATCH 4/8] minor updates --- .../mdm/applicationcontrol-csp.md | 64 +++++++++---------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index d7460e498b..a3c06c8189 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -12,7 +12,7 @@ ms.date: 05/21/2019 # ApplicationControl CSP Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike AppLocker CSP, the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. -Existing WDAC policies which were deployed using the AppLocker CSP’s CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will occur in the ApplicationControl CSP only. +Existing WDAC policies deployed using AppLocker CSP’s CodeIntegrity node can now be deployed using ApplicationControl CSP URI. Although WDAC policy deployment via AppLocker CSP will continue to be supported, all new feature work will occur in ApplicationControl CSP only. The ApplicationControl CSP was added in Windows 10, version 1903. @@ -26,7 +26,7 @@ Defines the root node for the ApplicationControl CSP. Scope is permanent. Supported operation is Get. **ApplicationControl/Policies** -This node contains all the policies, each identified by their GUID. +This node contains all the policies, each identified by their globally unique identifier (GUID). Scope is permanent. Supported operation is Get. @@ -45,7 +45,7 @@ Value type is b64. Supported value is any well-formed WDAC policy, i.e. the base Default value is empty. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo** -This node is the subtree for nodes that describe the policy indicated by the GUID. +This node contains the nodes that describe the policy indicated by the GUID. Scope is dynamic. Supported operation is Get. @@ -110,35 +110,35 @@ Scope is dynamic. Supported operation is Get. Value type is char. -## ApplicationControl CSP usage guidance +## Usage guidance -Here are the usage guidance for ApplicationControl CSP: +To use ApplicationControl CSP, you must: - Know a generated policy’s GUID, which can be found in the policy xml as ``. - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -- Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool. +- Create a policy node (a Base64-encoded blob of the binary policy representation) using the [certutil -encode](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_encode) command line tool. - Sample certutil invocation: - ``` - certutil -encode WinSiPolicy.p7b WinSiPolicy.cer - ``` - Alternatively, you can use the following PowerShell invocation: - ``` - [Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) - ``` -> [!NOTE] -> If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you use Base64 as the data type when using Custom OMA-URI functionality to apply the Code Integrity policy. +Here is a sample certutil invocation: +``` +certutil -encode WinSiPolicy.p7b WinSiPolicy.cer +``` +An alternative to using certutil would be to use the following PowerShell invocation: +``` +[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) +``` +If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI +functionality to apply the Code Integrity policy. -## Deploy policies using ApplicationControl CSP +### Deploy policies To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. To deploy base policy and supplemental policies: -- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy -- Repeat for each base or supplemental policy (with its own GUID and data) +- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. +- Repeat for each base or supplemental policy (with its own GUID and data). The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). **Example 1: Add first base policy** -``` +```xml 1 @@ -153,22 +153,22 @@ The following example shows the deployment of two base policies and a supplement ``` **Example 2: Add second base policy** -``` +```xml 1 ./Vendor/MSFT/ApplicationControl/Policies/{Base2GUID}/Policy - + b64 - - {Base2Data} + + {Base2Data} ``` **Example 3: Add supplemental policy** -``` +```xml 1 @@ -178,17 +178,17 @@ The following example shows the deployment of two base policies and a supplement b64 - {Supplemental1Data} + {Supplemental1Data} ``` -## Get policy +### Get policies Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it. The following table displays the result of Get operation on different nodes: -|Nodes|Get Operation Results| -|-------------|------| +|Nodes | Get Results| +|------------- | ------| |./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy|raw p7b| |./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Version|policy version| |./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsEffective|is the policy in effect| @@ -198,7 +198,7 @@ The following table displays the result of Get operation on different nodes: |./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/FriendlyName|the friendly name per the policy| **Sample Get command** -``` +```xml 1 @@ -209,7 +209,7 @@ The following table displays the result of Get operation on different nodes: ``` -## Delete the policy +### Delete policies To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy**. > [!Note] @@ -218,7 +218,7 @@ To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationCon To delete a signed policy, first replace it with a signed update allowing unsigned policy, then deploy another update with unsigned policy, then perform delete. **Delete a policy** -``` +```xml 1 From 9821ea2e51d0eb6b13009eb548e401e3a78d476d Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 12 Jul 2019 15:28:41 -0700 Subject: [PATCH 5/8] content updates --- .../mdm/applicationcontrol-csp.md | 46 +++++++++++-------- 1 file changed, 26 insertions(+), 20 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index a3c06c8189..f691632d9a 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -11,8 +11,8 @@ ms.date: 05/21/2019 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike AppLocker CSP, the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. -Existing WDAC policies deployed using AppLocker CSP’s CodeIntegrity node can now be deployed using ApplicationControl CSP URI. Although WDAC policy deployment via AppLocker CSP will continue to be supported, all new feature work will occur in ApplicationControl CSP only. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Existing WDAC policies deployed using AppLocker CSP’s CodeIntegrity node can now be deployed using ApplicationControl CSP URI. Although WDAC policy deployment via AppLocker CSP will continue to be supported, all new feature work will be done in ApplicationControl CSP only. The ApplicationControl CSP was added in Windows 10, version 1903. @@ -26,12 +26,12 @@ Defines the root node for the ApplicationControl CSP. Scope is permanent. Supported operation is Get. **ApplicationControl/Policies** -This node contains all the policies, each identified by their globally unique identifier (GUID). +An interior node that contains all the policies, each identified by their globally unique identifier (GUID). Scope is permanent. Supported operation is Get. **ApplicationControl/Policies/_Policy GUID_** -The ApplicationControl CSP enforces that the “ID” segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each Policy GUID node contains a Policy node and a corresponding PolicyInfo node. +The ApplicationControl CSP enforces that the “ID” segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node. Scope is dynamic. Supported operation is Get. @@ -45,7 +45,7 @@ Value type is b64. Supported value is any well-formed WDAC policy, i.e. the base Default value is empty. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo** -This node contains the nodes that describe the policy indicated by the GUID. +An interior node that contains the nodes that describe the policy indicated by the GUID. Scope is dynamic. Supported operation is Get. @@ -84,8 +84,9 @@ Value type is bool. Supported values are as follows: - False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: -|IsAuthorized|IsDeployed|IsEffective|Resultant| -|------------|----------|-----------|---------| + +|IsAuthorized | IsDeployed | IsEffective | Resultant | +|------------ | ---------- | ----------- | --------- | |True|True|True|Policy is currently running and in effect.| |True|True|False|Policy requires a reboot to take effect.| |True|False|True|Policy requires a reboot to unload from CI.| @@ -94,7 +95,8 @@ The following table provides the result of this policy based on different values |False|True|False|*Not Reachable.| |False|False|True|Not Reachable.| |False|False|False|*Not Reachable.| -```*``` denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail. + +`*` denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status** This node specifies whether the deployment of the policy indicated by the GUID was successful. @@ -129,10 +131,10 @@ If you are using hybrid MDM management with System Center Configuration Manager functionality to apply the Code Integrity policy. ### Deploy policies -To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. +To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below. To deploy base policy and supplemental policies: -- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. +- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. - Repeat for each base or supplemental policy (with its own GUID and data). The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). @@ -185,19 +187,20 @@ The following example shows the deployment of two base policies and a supplement ### Get policies Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it. + The following table displays the result of Get operation on different nodes: |Nodes | Get Results| |------------- | ------| -|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy|raw p7b| -|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Version|policy version| -|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsEffective|is the policy in effect| -|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsDeployed|is the policy on the system| -|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsAuthorized|is the policy authorized on the system| -|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Status|was the deployment successful| -|./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/FriendlyName|the friendly name per the policy| +|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy|raw p7b| +|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version|Policy version| +|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective|Is the policy in effect| +|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed|Is the policy on the system| +|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized|Is the policy authorized on the system| +|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful| +|./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy| -**Sample Get command** +The following is an example of Get command: ```xml 1 @@ -215,9 +218,12 @@ To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationCon > [!Note] > Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** is not sufficient to delete a signed policy. -To delete a signed policy, first replace it with a signed update allowing unsigned policy, then deploy another update with unsigned policy, then perform delete. +To delete a signed policy: +1. Replace it with a signed update allowing unsigned policy. +2. Deploy another update with unsigned policy. +3. Perform delete. -**Delete a policy** +The following is an example of Delete command: ```xml 1 From c30b94b117f42da5c125f99ca0700ccadd6d9e5c Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 12 Jul 2019 15:34:00 -0700 Subject: [PATCH 6/8] Updated TOC --- windows/client-management/mdm/TOC.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 2777f01ddd..d77896805e 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -55,6 +55,8 @@ ### [AllJoynManagement CSP](alljoynmanagement-csp.md) #### [AllJoynManagement DDF](alljoynmanagement-ddf.md) ### [APPLICATION CSP](application-csp.md) +### [ApplicationControl CSP](applicationcontrol-csp.md) +#### [ApplicationControl DDF file](applicationcontrol-csp-ddf.md) ### [AppLocker CSP](applocker-csp.md) #### [AppLocker DDF file](applocker-ddf-file.md) #### [AppLocker XSD](applocker-xsd.md) From f9480853c12c5b3ee9f870211202aa8accd46ecc Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 12 Jul 2019 15:52:15 -0700 Subject: [PATCH 7/8] Minor updates --- windows/client-management/mdm/applicationcontrol-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index f691632d9a..f9b194f07c 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -213,10 +213,10 @@ The following is an example of Get command: ``` ### Delete policies -To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy**. +To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy**. > [!Note] -> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** is not sufficient to delete a signed policy. +> Only signed things should be able to update signed policies. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy. To delete a signed policy: 1. Replace it with a signed update allowing unsigned policy. From ec3eb7db8e9a7a6679cebe2158da6a496225885d Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 15 Jul 2019 10:35:25 -0700 Subject: [PATCH 8/8] Added SKU info --- .../mdm/applicationcontrol-csp.md | 10 +++---- ...onfiguration-service-provider-reference.md | 28 +++++++++++++++++++ 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index f9b194f07c..4f5c622cc0 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -11,17 +11,17 @@ ms.date: 05/21/2019 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike [AppLocker CSP](applocker-csp.md), ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. Existing WDAC policies deployed using AppLocker CSP’s CodeIntegrity node can now be deployed using ApplicationControl CSP URI. Although WDAC policy deployment via AppLocker CSP will continue to be supported, all new feature work will be done in ApplicationControl CSP only. -The ApplicationControl CSP was added in Windows 10, version 1903. +ApplicationControl CSP was added in Windows 10, version 1903. -The following diagram shows the ApplicationControl CSP in tree format. +The following diagram shows ApplicationControl CSP in tree format. ![tree diagram for applicationcontrol csp](images/provisioning-csp-applicationcontrol.png) **./Vendor/MSFT/ApplicationControl** -Defines the root node for the ApplicationControl CSP. +Defines the root node for ApplicationControl CSP. Scope is permanent. Supported operation is Get. @@ -31,7 +31,7 @@ An interior node that contains all the policies, each identified by their global Scope is permanent. Supported operation is Get. **ApplicationControl/Policies/_Policy GUID_** -The ApplicationControl CSP enforces that the “ID” segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node. +ApplicationControl CSP enforces that the “ID” segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node. Scope is dynamic. Supported operation is Get. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 06824c4c4a..a282ba8384 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -172,6 +172,34 @@ Additional lists: + +[ApplicationControl CSP](applicationcontrol-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark6check mark6check mark6check mark6check mark6check mark6check mark6
+ + + + [AppLocker CSP](applocker-csp.md)