deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #470 from MicrosoftDocs/FromPrivateRepo

Browse Source 
From private repo
This commit is contained in:
Alma Jenks 2018-02-05 15:38:29 -08:00 committed by GitHub
commit 8bffdbb37d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 1030 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/TOC.md
View File

@ -281,6 +281,8 @@
#### [SurfaceHub DDF file](surfacehub-ddf-file.md)
### [TPMPolicy CSP](tpmpolicy-csp.md)
#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md)
### [UEFI CSP](uefi-csp.md)
#### [UEFI DDF file](uefi-ddf.md)
### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
### [Update CSP](update-csp.md)

30
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 12/05/2017
ms.date: 02/02/2018
---
# Configuration service provider reference
@ -2079,6 +2079,34 @@ Footnotes:
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[Uefi CSP](uefi-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)

40
windows/client-management/mdm/dmclient-csp.md
View File

@ -13,6 +13,9 @@ ms.date: 11/01/2017
# DMClient CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment.
The following diagram shows the DMClient configuration service provider in tree format.
@ -257,6 +260,11 @@ Optional. Number of days after last sucessful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
<a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 next major update. For AZure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@ -690,19 +698,45 @@ Required. Added in Windows 10, version 1709. This node determines how long we wi
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-serverhasfinishedprovisioning"></a>**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED.
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-issyncdone"></a>**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times).
<a href="" id="provider-providerid-firstsyncstatus-issyncdone"></a>**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-wasdevicesuccessfullyprovisioned"></a>**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true.
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-blockinstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
Required. Device Only. Added in Windows 10, next major update. This node determines whether or not the MDM progress page is blocking in the Azure AD joined or DJ++ case, as well as which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-allowcollectlogsbutton"></a>**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
Required. Added in Windows 10, next major update. This node decides whether or not the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-customerrortext"></a>**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
Required. Added in Windows 10, next major update. This node allows the MDM to set custom error text, detailing what the user needs to do in case of error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-skipdevicestatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
Required. Device only. Added in Windows 10, next major update. This node decides wheter or not the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-skipuserstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
Required. Device only. Added in Windows 10, next major update. This node decides wheter or not the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
<a href="" id="provider-providerid-enhancedapplayersecurity"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity**
Required node. Added in Windows 10, version 1709.

516
windows/client-management/mdm/dmclient-ddf-file.md
View File

@ -13,11 +13,14 @@ ms.date: 12/05/2017
# DMClient DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **DMClient** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is for Windows 10, version 1907.
The XML below is for Windows 10, next major update.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -28,7 +31,355 @@ The XML below is for Windows 10, version 1907.
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DMClient</NodeName>
<Path>./Vendor/MSFT</Path>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.5/MDM/DMClient</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Provider</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>FirstSyncStatus</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ExpectedPolicies</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ExpectedNetworkProfiles</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ExpectedMSIAppPackages</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ExpectedModernAppPackages</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ExpectedPFXCerts</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ExpectedSCEPCerts</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ServerHasFinishedProvisioning</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsSyncDone</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>WasDeviceSuccessfullyProvisioned</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowCollectLogsButton</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis).</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CustomErrorText</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>DMClient</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
@ -622,6 +973,30 @@ The XML below is for Windows 10, version 1907.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AADSendDeviceToken</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Send the device AAD token, if the user one can't be returned</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Push</NodeName>
<DFProperties>
@ -1221,7 +1596,7 @@ The XML below is for Windows 10, version 1907.
<Get />
<Replace />
</AccessType>
<Description>This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED.</Description>
<Description>This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -1243,7 +1618,7 @@ The XML below is for Windows 10, version 1907.
<Get />
<Replace />
</AccessType>
<Description>This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times).</Description>
<Description>This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).</Description>
<DFFormat>
<bool />
</DFFormat>
@ -1265,7 +1640,7 @@ The XML below is for Windows 10, version 1907.
<Get />
<Replace />
</AccessType>
<Description>Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true.</Description>
<Description>Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).</Description>
<DFFormat>
<int />
</DFFormat>
@ -1280,6 +1655,137 @@ The XML below is for Windows 10, version 1907.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BlockInStatusPage</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowCollectLogsButton</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CustomErrorText</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis).</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SkipDeviceStatusPage</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>Device only. This node decides wheter or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SkipUserStatusPage</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Device only. This node decides wheter or not the MDM user progress page skips after AADJ or DJ++ after user login.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>EnhancedAppLayerSecurity</NodeName>

BIN
windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 85 KiB

After

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-uefi.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

22
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,12 +10,16 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 01/12/2018
ms.date: 02/05/2018
---
# What's new in MDM enrollment and management
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
@ -1517,6 +1521,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top"><p>Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, next major update.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DMClient CSP](dmclient-csp.md)</td>
<td style="vertical-align:top"><p>Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, next major update:</p>
<ul>
<li>AADSendDeviceToken</li>
<li>BlockInStatusPage</li>
<li>AllowCollectLogsButton</li>
<li>CustomErrorText</li>
<li>SkipDeviceStatusPage</li>
<li>SkipUserStatusPage</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, next major update:</p>
<ul>
@ -1530,6 +1546,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
<td style="vertical-align:top"><p>Added new node (OfflineScan) in Windows 10, next major update.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[UEFI CSP](uefi-csp.md)</td>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, next major update.</p>
</td></tr>
</tbody>
</table>

25
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -376,30 +376,6 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-bitlocker.md#bitlocker-encryptionmethod" id="bitlocker-encryptionmethod">Bitlocker/EncryptionMethod</a>
</dd>
<dd>
<a href="./bitlocker-csp.md#encryptionmethodbydrivetype" id="encryptionmethodbydrivetype">BitLocker/EncryptionMethodByDriveType</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrecoveryoptions" id="fixeddrivesrecoveryoptions">BitLocker/FixedDrivesRecoveryOptions</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#fixeddrivesrequireencryption" id="fixeddrivesrequireencryption">BitLocker/FixedDrivesRequireEncryption</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#removabledrivesrequireencryption" id="removabledrivesrequireencryption">BitLocker/RemovableDrivesRequireEncryption</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesminimumpinlength" id="systemdrivesminimumpinlength">BitLocker/SystemDrivesMinimumPINLength</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoverymessage" id="systemdrivesrecoverymessage">BitLocker/SystemDrivesRecoveryMessage</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrecoveryoptions" id="systemdrivesrecoveryoptions">BitLocker/SystemDrivesRecoveryOptions</a> in BitLocker CSP
</dd>
<dd>
<a href="./bitlocker-csp.md#systemdrivesrequirestartupauthentication" id="systemdrivesrequirestartupauthentication">BitLocker/SystemDrivesRequireStartupAuthentication</a> in BitLocker CSP
</dd>
</dl>
### Bluetooth policies
@ -2822,6 +2798,7 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
<dd>
<a href="policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode" id="systemservices-configurexboxlivenetworkingservicestartupmode">SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode</a>
</dd>
### TaskScheduler policies

87
windows/client-management/mdm/uefi-csp.md Normal file
View File

@ -0,0 +1,87 @@
---
title: UEFI CSP
description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes.
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 02/01/2018
---
# UEFI CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, next major update.
The following diagram shows the UEFI CSP in tree format.
![Uefi CSP diagram](images/provisioning-csp-uefi.png)
The following list describes the characteristics and parameters.
<a href="" id="uefi"></a>**./Vendor/MSFT/Uefi**
Root node.
<a href="" id="uefideviceidentifier"></a>**UefiDeviceIdentifier**
Retrieves XML from UEFI which describes the device identifier.
Supported operation is Get.
<a href="" id="identityinfo"></a>**IdentityInfo**
Node for provisioned signers operations.
<a href="" id="identityinfo-current"></a>**IdentityInfo/Current**
Retrieves XML from UEFI which describes the current UEFI identity information.
Supported operation is Get.
<a href="" id="identityinfo-apply"></a>**IdentityInfo/Apply**
Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.
Supported operation is Replace.
<a href="" id="identityinfo-applyresult"></a>**IdentityInfo/ApplyResult**
Retrieves XML describing the results of previous ApplyIdentityInfo operation.
Supported operation is Get.
<a href="" id="authinfo"></a>**AuthInfo**
Node for permission information operations.
<a href="" id="authinfo-current"></a>**AuthInfo/Current**
Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
Supported operation is Get.
<a href="" id="authinfo-apply"></a>**AuthInfo/Apply**
Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
Supported operation is Replace.
<a href="" id="authinfo-applyresult"></a>**AuthInfo/ApplyResult**
Retrieves XML describing the results of previous ApplyAuthInfo operation.
Supported operation is Get.
<a href="" id="config"></a>**Config**
Node for device configuration
<a href="" id="config-current"></a>**Config/Current**
Retrieves XML from UEFI which describes the current UEFI configuration.
Supported operation is Get.
<a href="" id="config-apply"></a>**Config/Apply**
Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
Supported operation is Replace.
<a href="" id="config-applyresult"></a>**Config/ApplyResult**
Retrieves XML describing the results of previous ApplyConfig operation.
Supported operation is Get.

330
windows/client-management/mdm/uefi-ddf.md Normal file
View File

@ -0,0 +1,330 @@
---
title: UEFI DDF file
description: UEFI DDF file
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 02/01/2018
---
# UEFI DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Uefi** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Uefi</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/Uefi</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>UefiDeviceIdentifier</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Retrieves XML from UEFI which describes the device identifier.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IdentityInfo</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Provisioned signers</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Current</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Retrieves XML from UEFI which describes the current UEFI identity information</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Apply</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ApplyResult</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Retrieves XML describing the results of previous ApplyIdentityInfo operation.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>AuthInfo</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Permission Information</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Current</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Retrieves XML from UEFI which describes the current UEFI permission/authentication information.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Apply</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ApplyResult</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Retrieves XML describing the results of previous ApplyAuthInfo operation.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Config</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Device Configuration</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Current</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Retrieves XML from UEFI which describes the current UEFI configuration.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Apply</NodeName>
<DFProperties>
<AccessType>
<Replace />
</AccessType>
<Description>Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ApplyResult</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Retrieves XML describing the results of previous ApplyConfig operation.</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

16
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -27,7 +27,15 @@ If you want to minimize connections from Windows to Microsoft services, or confi
You can configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887).
This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state.
Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document.
However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended.
Make sure should you've chosen the right settings configuration for your environment before applying.
You should not extract this package to the windows\\system32 folder because it will not apply correctly.
Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
It is recommended that you restart a device after making configuration changes to it.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
@ -73,9 +81,9 @@ The following sections list the components that make network connections to Micr
If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
### Settings for Windows 10 Enterprise, version 1703
### Settings for Windows 10 Enterprise
See the following table for a summary of the management settings for Windows 10 Enterprise, version 1703.
See the following table for a summary of the management settings for Windows 10 Enterprise, version 1709 and Windows 10 Enterprise, version 1703.
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
@ -1437,7 +1445,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry**, with a value of 0-3, as appropriate for your deployment (see below for the values for each level).
> [!NOTE]
> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI.
> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only availble in Windows 10 Enterprise edition.
-or-