From 8d361e28ad2fd80ee141e45d45819b6eb14f3a07 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 17 Feb 2023 15:47:39 -0500
Subject: [PATCH] DeviceStatus CSP + updates
---
.../client-management/mdm/activesync-csp.md | 8 +-
.../mdm/applicationcontrol-csp.md | 6 +-
windows/client-management/mdm/defender-csp.md | 666 +++--
windows/client-management/mdm/defender-ddf.md | 310 ++-
.../client-management/mdm/devicestatus-csp.md | 2312 ++++++++++++++---
.../client-management/mdm/devicestatus-ddf.md | 2067 ++++++++-------
.../policy-configuration-service-provider.md | 12 +-
windows/client-management/mdm/toc.yml | 2 +-
.../windowsdefenderapplicationguard-csp.md | 30 +-
.../client-management/mdm/wirednetwork-csp.md | 6 +-
10 files changed, 3770 insertions(+), 1649 deletions(-)
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index 35a64b74e3..3b755e0b6a 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the ActiveSync CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 02/16/2023
+ms.date: 02/17/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -293,7 +293,7 @@ Specify the account type. This value is entered during setup and cannot be modif
-Domain name of the Exchange server
+Domain name of the Exchange server.
@@ -450,7 +450,7 @@ Specifies the time window used for syncing calendar items to the phone.
-Interior node for Content Types
+Interior node for Content Types.
@@ -1018,7 +1018,7 @@ Specifies the mail body type and email age filter.
-Specifies the email body type. HTML or plain
+Specifies the email body type. HTML or plain.
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index c85489f632..191d8062df 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationControl CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 02/16/2023
+ms.date: 02/17/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -347,7 +347,7 @@ TRUE/FALSE if the Policy is a Base Policy versus a Supplemental Policy.
-Whether the Policy indicated by the GUID is deployed on the system (on the physical machine).
+Whether the Policy indicated by the GUID is deployed on the system (on the physical machine)
@@ -390,7 +390,7 @@ Supported values are as follows:
-Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect).
+Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index dd6034f807..2975f06a35 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,10 +1,10 @@
---
title: Defender CSP
-description: Learn more about the Defender CSP
+description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/02/2022
+ms.date: 02/17/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -31,6 +31,7 @@ The following example shows the Defender configuration service provider in tree
------ AllowNetworkProtectionOnWinServer
------ ASROnlyPerRuleExclusions
------ DataDuplicationDirectory
+------ DataDuplicationLocalRetentionPeriod
------ DataDuplicationRemoteLocation
------ DefaultEnforcement
------ DeviceControl
@@ -51,24 +52,23 @@ The following example shows the Defender configuration service provider in tree
------ DisableLocalAdminMerge
------ DisableNetworkProtectionPerfTelemetry
------ DisableRdpParsing
+------ DisableSmtpParsing
------ DisableSshParsing
------ DisableTlsParsing
------ EnableDnsSinkhole
------ EnableFileHashComputation
------ EngineUpdatesChannel
------- ExcludedIpAddresses
------ HideExclusionsFromLocalAdmins
+------ IntelTDTEnabled
------ MeteredConnectionUpdates
------ PassiveRemediation
------- PauseUpdateExpirationTime
------- PauseUpdateFlag
------- PauseUpdateStartTime
------ PlatformUpdatesChannel
+------ RandomizeScheduleTaskTimes
+------ ScanOnlyIfIdleEnabled
------ SchedulerRandomizationTime
------ SecurityIntelligenceUpdatesChannel
------ SupportLogLocation
------ TamperProtection
------- TDTFeatureEnabled
------ ThrottleForScheduledScanOnly
--- Detections
------ {ThreatId}
@@ -125,6 +125,7 @@ The following example shows the Defender configuration service provider in tree
+
An interior node to group Windows Defender configuration information.
@@ -163,6 +164,7 @@ An interior node to group Windows Defender configuration information.
+
This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection.
@@ -177,6 +179,7 @@ This settings controls whether Network Protection is allowed to enable datagram
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -185,7 +188,7 @@ This settings controls whether Network Protection is allowed to enable datagram
| Value | Description |
|:--|:--|
| 1 | Datagram processing on Windows Server is enabled. |
-| 0 | Datagram processing on Windows Server is disabled. |
+| 0 (Default) | Datagram processing on Windows Server is disabled. |
@@ -210,6 +213,7 @@ This settings controls whether Network Protection is allowed to enable datagram
+
This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored.
@@ -224,6 +228,7 @@ This settings controls whether Network Protection is allowed to be configured in
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -232,7 +237,7 @@ This settings controls whether Network Protection is allowed to be configured in
| Value | Description |
|:--|:--|
| 1 | Network protection will be enabled downlevel. |
-| 0 | Network protection will be disabled downlevel. |
+| 0 (Default) | Network protection will be disabled downlevel. |
@@ -257,6 +262,7 @@ This settings controls whether Network Protection is allowed to be configured in
+
This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
@@ -279,8 +285,8 @@ This settings controls whether Network Protection is allowed to be configured in
| Value | Description |
|:--|:--|
-| 1 (Default) | Allow |
-| 0 | Disallow |
+| 1 (Default) | Allow. |
+| 0 | Disallow. |
@@ -305,6 +311,7 @@ This settings controls whether Network Protection is allowed to be configured in
+
Apply ASR only per rule exclusions.
@@ -343,6 +350,7 @@ Apply ASR only per rule exclusions.
+
Define data duplication directory for device control.
@@ -365,6 +373,47 @@ Define data duplication directory for device control.
+
+### Configuration/DataDuplicationLocalRetentionPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationLocalRetentionPeriod
+```
+
+
+
+
+Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-120]` |
+| Default Value | 60 |
+
+
+
+
+
+
+
+
### Configuration/DataDuplicationRemoteLocation
@@ -381,6 +430,7 @@ Define data duplication directory for device control.
+
Define data duplication remote location for device control.
@@ -419,6 +469,7 @@ Define data duplication remote location for device control.
+
Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.
@@ -433,6 +484,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
@@ -440,8 +492,8 @@ Control Device Control default enforcement. This is the enforcement applied if t
| Value | Description |
|:--|:--|
-| 1 | Default Allow Enforcement |
-| 2 | Default Deny Enforcement |
+| 1 (Default) | Default Allow Enforcement. |
+| 2 | Default Deny Enforcement. |
@@ -466,7 +518,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -504,7 +556,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -542,7 +594,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -580,7 +632,8 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
+Follow the instructions provided here:
@@ -618,7 +671,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -656,7 +709,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
@@ -694,7 +747,8 @@ Control Device Control default enforcement. This is the enforcement applied if t
-
+
+Follow the instructions provided here:
@@ -732,6 +786,7 @@ Control Device Control default enforcement. This is the enforcement applied if t
+
Control Device Control feature.
@@ -746,6 +801,7 @@ Control Device Control feature.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -753,8 +809,8 @@ Control Device Control feature.
| Value | Description |
|:--|:--|
-| 1 | |
-| 0 | |
+| 1 | . |
+| 0 (Default) | . |
@@ -779,7 +835,8 @@ Control Device Control feature.
-Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
+
+Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
@@ -801,8 +858,8 @@ Indicates whether the CPU will be throttled for scheduled scans while the device
| Value | Description |
|:--|:--|
-| 1 (Default) | Disable CPU Throttle on idle scans |
-| 0 | Enable CPU Throttle on idle scans |
+| 1 (Default) | Disable CPU Throttle on idle scans. |
+| 0 | Enable CPU Throttle on idle scans. |
@@ -827,6 +884,7 @@ Indicates whether the CPU will be throttled for scheduled scans while the device
+
This setting disables DNS over TCP Parsing for Network Protection.
@@ -849,8 +907,8 @@ This setting disables DNS over TCP Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | DNS over TCP parsing is disabled |
-| 0 (Default) | DNS over TCP parsing is enabled |
+| 1 | DNS over TCP parsing is disabled. |
+| 0 (Default) | DNS over TCP parsing is enabled. |
@@ -875,6 +933,7 @@ This setting disables DNS over TCP Parsing for Network Protection.
+
This setting disables DNS Parsing for Network Protection.
@@ -897,8 +956,8 @@ This setting disables DNS Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | DNS parsing is disabled |
-| 0 (Default) | DNS parsing is enabled |
+| 1 | DNS parsing is disabled. |
+| 0 (Default) | DNS parsing is enabled. |
@@ -923,6 +982,7 @@ This setting disables DNS Parsing for Network Protection.
+
This setting disables FTP Parsing for Network Protection.
@@ -945,8 +1005,8 @@ This setting disables FTP Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | FTP parsing is disabled |
-| 0 (Default) | FTP parsing is enabled |
+| 1 | FTP parsing is disabled. |
+| 0 (Default) | FTP parsing is enabled. |
@@ -971,6 +1031,7 @@ This setting disables FTP Parsing for Network Protection.
+
Enable this policy to disable gradual rollout of Defender updates.
@@ -985,6 +1046,7 @@ Enable this policy to disable gradual rollout of Defender updates.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -992,8 +1054,8 @@ Enable this policy to disable gradual rollout of Defender updates.
| Value | Description |
|:--|:--|
-| 1 | Gradual release is disabled |
-| 0 | Gradual release is enabled |
+| 1 | Gradual release is disabled. |
+| 0 (Default) | Gradual release is enabled. |
@@ -1018,6 +1080,7 @@ Enable this policy to disable gradual rollout of Defender updates.
+
This setting disables HTTP Parsing for Network Protection.
@@ -1040,8 +1103,8 @@ This setting disables HTTP Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | HTTP parsing is disabled |
-| 0 (Default) | HTTP parsing is enabled |
+| 1 | HTTP parsing is disabled. |
+| 0 (Default) | HTTP parsing is enabled. |
@@ -1066,6 +1129,7 @@ This setting disables HTTP Parsing for Network Protection.
+
This setting disables Inbound connection filtering for Network Protection.
@@ -1080,6 +1144,7 @@ This setting disables Inbound connection filtering for Network Protection.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1087,8 +1152,8 @@ This setting disables Inbound connection filtering for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | Inbound connection filtering is disabled |
-| 0 | Inbound connection filtering is enabled |
+| 1 | Inbound connection filtering is disabled. |
+| 0 (Default) | Inbound connection filtering is enabled. |
@@ -1113,7 +1178,8 @@ This setting disables Inbound connection filtering for Network Protection.
-When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings
+
+When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings.
@@ -1127,6 +1193,7 @@ When this value is set to false, it allows a local admin the ability to specify
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1134,8 +1201,8 @@ When this value is set to false, it allows a local admin the ability to specify
| Value | Description |
|:--|:--|
-| 1 | Disable Local Admin Merge |
-| 0 | Enable Local Admin Merge |
+| 1 | Disable Local Admin Merge. |
+| 0 (Default) | Enable Local Admin Merge. |
@@ -1160,6 +1227,7 @@ When this value is set to false, it allows a local admin the ability to specify
+
This setting disables the gathering and send of performance telemetry from Network Protection.
@@ -1174,6 +1242,7 @@ This setting disables the gathering and send of performance telemetry from Netwo
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1181,8 +1250,8 @@ This setting disables the gathering and send of performance telemetry from Netwo
| Value | Description |
|:--|:--|
-| 1 | Network protection telemetry is disabled |
-| 0 | Network protection telemetry is enabled |
+| 1 | Network protection telemetry is disabled. |
+| 0 (Default) | Network protection telemetry is enabled. |
@@ -1207,6 +1276,7 @@ This setting disables the gathering and send of performance telemetry from Netwo
+
This setting disables RDP Parsing for Network Protection.
@@ -1221,6 +1291,7 @@ This setting disables RDP Parsing for Network Protection.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1228,8 +1299,8 @@ This setting disables RDP Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | RDP Parsing is disabled |
-| 0 | RDP Parsing is enabled |
+| 1 | RDP Parsing is disabled. |
+| 0 (Default) | RDP Parsing is enabled. |
@@ -1238,6 +1309,55 @@ This setting disables RDP Parsing for Network Protection.
+
+### Configuration/DisableSmtpParsing
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableSmtpParsing
+```
+
+
+
+
+This setting disables SMTP Parsing for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | SMTP parsing is disabled. |
+| 0 (Default) | SMTP parsing is enabled. |
+
+
+
+
+
+
+
+
### Configuration/DisableSshParsing
@@ -1254,6 +1374,7 @@ This setting disables RDP Parsing for Network Protection.
+
This setting disables SSH Parsing for Network Protection.
@@ -1276,8 +1397,8 @@ This setting disables SSH Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | SSH parsing is disabled |
-| 0 (Default) | SSH parsing is enabled |
+| 1 | SSH parsing is disabled. |
+| 0 (Default) | SSH parsing is enabled. |
@@ -1302,6 +1423,7 @@ This setting disables SSH Parsing for Network Protection.
+
This setting disables TLS Parsing for Network Protection.
@@ -1324,8 +1446,8 @@ This setting disables TLS Parsing for Network Protection.
| Value | Description |
|:--|:--|
-| 1 | TLS parsing is disabled |
-| 0 (Default) | TLS parsing is enabled |
+| 1 | TLS parsing is disabled. |
+| 0 (Default) | TLS parsing is enabled. |
@@ -1350,6 +1472,7 @@ This setting disables TLS Parsing for Network Protection.
+
This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode.
@@ -1364,6 +1487,7 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
@@ -1371,8 +1495,8 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting
| Value | Description |
|:--|:--|
-| 1 | DNS Sinkhole is disabled |
-| 0 | DNS Sinkhole is enabled |
+| 1 (Default) | DNS Sinkhole is disabled. |
+| 0 | DNS Sinkhole is enabled. |
@@ -1397,6 +1521,7 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting
+
Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans.
@@ -1419,8 +1544,8 @@ Enables or disables file hash computation feature. When this feature is enabled
| Value | Description |
|:--|:--|
-| 0 (Default) | Disable |
-| 1 | Enable |
+| 0 (Default) | Disable. |
+| 1 | Enable. |
@@ -1445,6 +1570,7 @@ Enables or disables file hash computation feature. When this feature is enabled
+
Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
@@ -1459,6 +1585,7 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1466,7 +1593,7 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
| Value | Description |
|:--|:--|
-| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. |
| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. |
| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). |
@@ -1480,45 +1607,6 @@ Enable this policy to specify when devices receive Microsoft Defender engine upd
-
-### Configuration/ExcludedIpAddresses
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses
-```
-
-
-
-This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-| Allowed Values | List (Delimiter: `|`) |
-
-
-
-
-
-
-
-
### Configuration/HideExclusionsFromLocalAdmins
@@ -1535,7 +1623,8 @@ This node contains a list of values specifying any IP addresses that wdnisdrv wi
-This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
+
+This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
@@ -1551,6 +1640,7 @@ This policy setting controls whether or not exclusions are visible to local admi
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1559,7 +1649,7 @@ This policy setting controls whether or not exclusions are visible to local admi
| Value | Description |
|:--|:--|
| 1 | If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. |
-| 0 | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. |
+| 0 (Default) | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. |
@@ -1568,6 +1658,55 @@ This policy setting controls whether or not exclusions are visible to local admi
+
+### Configuration/IntelTDTEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/IntelTDTEnabled
+```
+
+
+
+
+This policy setting configures the Intel TDT integration level for Intel TDT-capable devices.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat. |
+| 2 | If you configure this setting to disabled, Intel TDT integration will turn off. |
+
+
+
+
+
+
+
+
### Configuration/MeteredConnectionUpdates
@@ -1584,7 +1723,8 @@ This policy setting controls whether or not exclusions are visible to local admi
-Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed
+
+Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed.
@@ -1606,8 +1746,8 @@ Allow managed devices to update through metered connections. Default is 0 - not
| Value | Description |
|:--|:--|
-| 1 | Allowed |
-| 0 (Default) | Not Allowed |
+| 1 | Allowed. |
+| 0 (Default) | Not Allowed. |
@@ -1632,6 +1772,7 @@ Allow managed devices to update through metered connections. Default is 0 - not
+
Setting to control automatic remediation for Sense scans.
@@ -1646,6 +1787,7 @@ Setting to control automatic remediation for Sense scans.
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1653,9 +1795,9 @@ Setting to control automatic remediation for Sense scans.
| Flag | Description |
|:--|:--|
-| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation |
-| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit |
-| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation |
+| 0x1 | |
+| 0x2 | |
+| 0x4 | |
@@ -1664,129 +1806,6 @@ Setting to control automatic remediation for Sense scans.
-
-### Configuration/PauseUpdateExpirationTime
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateExpirationTime
-```
-
-
-
-Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-
-
-
-
-
-
-### Configuration/PauseUpdateFlag
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateFlag
-```
-
-
-
-Setting to control automatic remediation for Sense scans.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | Update not paused |
-| 1 | Update paused |
-
-
-
-
-
-
-
-
-
-### Configuration/PauseUpdateStartTime
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateStartTime
-```
-
-
-
-Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-
-
-
-
-
### Configuration/PlatformUpdatesChannel
@@ -1803,6 +1822,7 @@ Pause update from the UTC time in ISO string format without milliseconds, for ex
+
Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
@@ -1817,6 +1837,7 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1824,7 +1845,7 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
| Value | Description |
|:--|:--|
-| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. |
| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. |
| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). |
@@ -1838,6 +1859,104 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
+
+### Configuration/RandomizeScheduleTaskTimes
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/RandomizeScheduleTaskTimes
+```
+
+
+
+
+In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 23 hours. This can be useful in virtual machines or VDI deployments.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime. |
+| 0 | Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. |
+
+
+
+
+
+
+
+
+
+### Configuration/ScanOnlyIfIdleEnabled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ScanOnlyIfIdleEnabled
+```
+
+
+
+
+In Microsoft Defender Antivirus, this setting will run scheduled scans only if the system is idle.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Runs scheduled scans only if the system is idle. |
+| 0 | Runs scheduled scans regardless of whether the system is idle. |
+
+
+
+
+
+
+
+
### Configuration/SchedulerRandomizationTime
@@ -1854,6 +1973,7 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
+
This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting.
@@ -1894,6 +2014,7 @@ This setting allows you to configure the scheduler randomization in hours. The r
+
Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
@@ -1908,6 +2029,7 @@ Enable this policy to specify when devices receive Microsoft Defender security i
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -1915,7 +2037,7 @@ Enable this policy to specify when devices receive Microsoft Defender security i
| Value | Description |
|:--|:--|
-| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
@@ -1942,6 +2064,7 @@ Enable this policy to specify when devices receive Microsoft Defender security i
+
The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
@@ -1992,6 +2115,7 @@ More details:
+
Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob.
@@ -2006,6 +2130,7 @@ Tamper protection helps protect important security features from unwanted change
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
@@ -2014,54 +2139,6 @@ Tamper protection helps protect important security features from unwanted change
-
-### Configuration/TDTFeatureEnabled
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Defender/Configuration/TDTFeatureEnabled
-```
-
-
-
-This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | int |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 0 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. |
-| 2 | If you configure this setting to disabled, Intel TDT integration will be turned off. |
-
-
-
-
-
-
-
-
### Configuration/ThrottleForScheduledScanOnly
@@ -2078,6 +2155,7 @@ This policy setting configures the integration level for Intel TDT integration f
+
A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only.
@@ -2126,6 +2204,7 @@ A CPU usage limit can be applied to scheduled scans only, or to scheduled and cu
+
An interior node to group all threats detected by Windows Defender.
@@ -2164,6 +2243,7 @@ An interior node to group all threats detected by Windows Defender.
+
The ID of a threat that has been detected by Windows Defender.
@@ -2203,7 +2283,8 @@ The ID of a threat that has been detected by Windows Defender.
-Threat category ID. Supported values:
+
+Threat category ID. Supported values:
| Value | Description |
|:--|:--|
@@ -2294,6 +2375,7 @@ Threat category ID. Supported values:
+
Information about the current status of the threat. The following list shows the supported values:
| Value | Description |
@@ -2346,6 +2428,7 @@ Information about the current status of the threat. The following list shows the
+
Information about the execution status of the threat.
@@ -2384,6 +2467,7 @@ Information about the execution status of the threat.
+
The first time this particular threat was detected.
@@ -2422,6 +2506,7 @@ The first time this particular threat was detected.
+
The last time this particular threat was changed.
@@ -2460,6 +2545,7 @@ The last time this particular threat was changed.
+
The name of the specific threat.
@@ -2498,6 +2584,7 @@ The name of the specific threat.
+
Number of times this threat has been detected on a particular client.
@@ -2536,6 +2623,7 @@ Number of times this threat has been detected on a particular client.
+
Threat severity ID. The following list shows the supported values:
| Value | Description |
@@ -2582,6 +2670,7 @@ Threat severity ID. The following list shows the supported values:
+
URL link for additional threat information.
@@ -2620,6 +2709,7 @@ URL link for additional threat information.
+
An interior node to group information about Windows Defender health status.
@@ -2658,6 +2748,7 @@ An interior node to group information about Windows Defender health status.
+
Provide the current state of the device. The following list shows the supported values:
| Value | Description |
@@ -2705,6 +2796,7 @@ Provide the current state of the device. The following list shows the supported
+
Indicates whether the Windows Defender service is running.
@@ -2743,6 +2835,7 @@ Indicates whether the Windows Defender service is running.
+
Version number of Windows Defender on the device.
@@ -2781,6 +2874,7 @@ Version number of Windows Defender on the device.
+
Version number of the current Windows Defender engine on the device.
@@ -2819,6 +2913,7 @@ Version number of the current Windows Defender engine on the device.
+
Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default).
@@ -2857,6 +2952,7 @@ Indicates whether a Windows Defender full scan is overdue for the device. A Full
+
Indicates whether a Windows Defender full scan is required.
@@ -2895,6 +2991,7 @@ Indicates whether a Windows Defender full scan is required.
+
Signature version used for the last full scan of the device.
@@ -2933,6 +3030,7 @@ Signature version used for the last full scan of the device.
+
Time of the last Windows Defender full scan of the device.
@@ -2971,6 +3069,7 @@ Time of the last Windows Defender full scan of the device.
+
Indicates whether the device is a virtual machine.
@@ -3009,6 +3108,7 @@ Indicates whether the device is a virtual machine.
+
Indicates whether network protection is running.
@@ -3047,6 +3147,7 @@ Indicates whether network protection is running.
+
Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values:
| Value | Description |
@@ -3131,6 +3232,7 @@ Provide the current state of the product. This is a bitmask flag value that can
+
Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default).
@@ -3169,6 +3271,7 @@ Indicates whether a Windows Defender quick scan is overdue for the device. A Qui
+
Signature version used for the last quick scan of the device.
@@ -3207,6 +3310,7 @@ Signature version used for the last quick scan of the device.
+
Time of the last Windows Defender quick scan of the device.
@@ -3245,6 +3349,7 @@ Time of the last Windows Defender quick scan of the device.
+
Indicates whether a device reboot is needed.
@@ -3283,6 +3388,7 @@ Indicates whether a device reboot is needed.
+
Indicates whether real-time protection is running.
@@ -3321,6 +3427,7 @@ Indicates whether real-time protection is running.
+
Indicates whether the Windows Defender signature is outdated.
@@ -3359,6 +3466,7 @@ Indicates whether the Windows Defender signature is outdated.
+
Version number of the current Windows Defender signatures on the device.
@@ -3397,6 +3505,7 @@ Version number of the current Windows Defender signatures on the device.
+
Indicates whether the Windows Defender tamper protection feature is enabled.
@@ -3435,6 +3544,7 @@ Indicates whether the Windows Defender tamper protection feature is enabled.
+
OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.
@@ -3474,6 +3584,7 @@ OfflineScan action starts a Microsoft Defender Offline scan on the computer wher
+
RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command.
@@ -3513,6 +3624,7 @@ RollbackEngine action rolls back Microsoft Defender engine to it's last known go
+
RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command.
@@ -3552,6 +3664,7 @@ RollbackPlatform action rolls back Microsoft Defender to it's last known good in
+
Node that can be used to start a Windows Defender scan on a device.
@@ -3573,8 +3686,8 @@ Node that can be used to start a Windows Defender scan on a device.
| Value | Description |
|:--|:--|
-| 1 | quick scan |
-| 2 | full scan |
+| 1 | Quick scan. |
+| 2 | Full scan. |
@@ -3599,6 +3712,7 @@ Node that can be used to start a Windows Defender scan on a device.
+
Node that can be used to perform signature updates for Windows Defender.
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 661c491b22..b540c17da8 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/02/2022
+ms.date: 02/17/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.10586
1.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
@@ -816,6 +816,7 @@ The following XML file contains the device description framework (DDF) for the D
+ Follow the instructions provided here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide
@@ -884,6 +885,7 @@ The following XML file contains the device description framework (DDF) for the D
+ Follow the instructions provided here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide
@@ -910,6 +912,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob.
@@ -1024,7 +1027,7 @@ The following XML file contains the device description framework (DDF) for the D
10.0.14393
- 9.9
+ 1.3
@@ -1069,37 +1072,6 @@ The following XML file contains the device description framework (DDF) for the D
-
- ExcludedIpAddresses
-
-
-
-
-
-
-
- This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 10.0.14393
- 1.3
-
-
-
-
-
-
DisableCpuThrottleOnIdleScans
@@ -1148,6 +1120,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings
@@ -1452,6 +1425,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
@@ -1506,6 +1480,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
@@ -1560,6 +1535,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
@@ -1602,6 +1578,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
Enable this policy to disable gradual rollout of Defender updates.
@@ -1640,6 +1617,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored.
@@ -1678,6 +1656,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 1
This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode.
@@ -1716,6 +1695,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
This setting disables Inbound connection filtering for Network Protection.
@@ -1754,6 +1734,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
This setting disables RDP Parsing for Network Protection.
@@ -1792,6 +1773,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection.
@@ -1830,6 +1812,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
This setting disables the gathering and send of performance telemetry from Network Protection.
@@ -1868,6 +1851,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
This policy setting controls whether or not exclusions are visible to local admins. For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
@@ -2026,6 +2010,38 @@ The following XML file contains the device description framework (DDF) for the D
+
+ DataDuplicationLocalRetentionPeriod
+
+
+
+
+
+
+
+ 60
+ Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17763
+ 1.3
+
+
+ [1-120]
+
+
+
DeviceControlEnabled
@@ -2035,6 +2051,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
Control Device Control feature.
@@ -2075,6 +2092,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 1
Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.
@@ -2113,6 +2131,7 @@ The following XML file contains the device description framework (DDF) for the D
+ 0
Setting to control automatic remediation for Sense scans.
@@ -2147,105 +2166,7 @@ The following XML file contains the device description framework (DDF) for the D
- PauseUpdateStartTime
-
-
-
-
-
-
-
- Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 10.0.14393
- 1.3
-
-
-
-
-
-
- PauseUpdateExpirationTime
-
-
-
-
-
-
-
- Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 10.0.14393
- 1.3
-
-
-
-
-
-
- PauseUpdateFlag
-
-
-
-
-
-
-
- Setting to control automatic remediation for Sense scans.
-
-
-
-
-
-
-
-
-
-
-
-
-
- 10.0.14393
- 1.3
-
-
-
- 0
- Update not paused
-
-
- 1
- Update paused
-
-
-
-
-
- TDTFeatureEnabled
+ IntelTDTEnabled
@@ -2254,7 +2175,7 @@ The following XML file contains the device description framework (DDF) for the D
0
- This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
+ This policy setting configures the Intel TDT integration level for Intel TDT-capable devices.
@@ -2274,11 +2195,128 @@ The following XML file contains the device description framework (DDF) for the D
0
- If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft.
+ If you do not configure this setting, the default value will be applied. The default value is controlled by Microsoft security intelligence updates. Microsoft will enable Intel TDT if there is a known threat.
2
- If you configure this setting to disabled, Intel TDT integration will be turned off.
+ If you configure this setting to disabled, Intel TDT integration will turn off.
+
+
+
+
+
+ DisableSmtpParsing
+
+
+
+
+
+
+
+ 0
+ This setting disables SMTP Parsing for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ SMTP parsing is disabled
+
+
+ 0
+ SMTP parsing is enabled
+
+
+
+
+
+ RandomizeScheduleTaskTimes
+
+
+
+
+
+
+
+ 1
+ In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 23 hours. This can be useful in virtual machines or VDI deployments.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting SchedulerRandomizationTime.
+
+
+ 0
+ Scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler.
+
+
+
+
+
+ ScanOnlyIfIdleEnabled
+
+
+
+
+
+
+
+ 1
+ In Microsoft Defender Antivirus, this setting will run scheduled scans only if the system is idle.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 1
+ Runs scheduled scans only if the system is idle.
+
+
+ 0
+ Runs scheduled scans regardless of whether the system is idle.
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 0f4c3a631c..1bc6a9f0a1 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -1,375 +1,2075 @@
---
title: DeviceStatus CSP
-description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
-ms.reviewer:
+description: Learn more about the DeviceStatus CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/25/2021
+ms.topic: reference
---
+
+
+
# DeviceStatus CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
+
+
+
+
The following example shows the DeviceStatus configuration service provider in tree format.
+
+```text
+./Vendor/MSFT/DeviceStatus
+--- Antispyware
+------ SignatureStatus
+------ Status
+--- Antivirus
+------ SignatureStatus
+------ Status
+--- Battery
+------ EstimatedChargeRemaining
+------ EstimatedRuntime
+------ Status
+--- CellularIdentities
+------ {IMEI}
+--------- CommercializationOperator
+--------- ICCID
+--------- IMSI
+--------- PhoneNumber
+--------- RoamingCompliance
+--------- RoamingStatus
+--- CertAttestation
+------ MDMClientCertAttestation
+--- Compliance
+------ EncryptionCompliance
+--- DeviceGuard
+------ HypervisorEnforcedCodeIntegrityStatus
+------ LsaCfgCredGuardStatus
+------ SystemGuardStatus
+------ VirtualizationBasedSecurityHwReq
+------ VirtualizationBasedSecurityStatus
+--- DMA
+------ BootDMAProtectionStatus
+--- DomainName
+--- Firewall
+------ Status
+--- NetworkIdentifiers
+------ {MacAddress}
+--------- IPAddressV4
+--------- IPAddressV6
+--------- IsConnected
+--------- Type
+--- OS
+------ Edition
+------ Mode
+--- SecureBootState
+--- TPM
+------ ManufacturerId
+------ ManufacturerIdTxt
+------ ManufacturerVersion
+------ SpecificationVersion
+--- UAC
+------ Status
```
-./Vendor/MSFT
-DeviceStatus
-----SecureBootState
-----CellularIdentities
---------IMEI
-------------IMSI
-------------ICCID
-------------PhoneNumber
-------------CommercializationOperator
-------------RoamingStatus
-------------RoamingCompliance
-----NetworkIdentifiers
---------MacAddress
-------------IPAddressV4
-------------IPAddressV6
-------------IsConnected
-------------Type
-----Compliance
---------EncryptionCompliance
-----TPM
---------SpecificationVersion
-----OS
---------Edition
---------Mode
-----Antivirus
---------SignatureStatus
---------Status
-----Antispyware
---------SignatureStatus
---------Status
-----Firewall
---------Status
-----UAC
---------Status
-----Battery
---------Status
---------EstimatedChargeRemaining
---------EstimatedRuntime
-----DomainName
-----DeviceGuard
---------VirtualizationBasedSecurityHwReq
---------VirtualizationBasedSecurityStatus
---------LsaCfgCredGuardStatus
-----CertAttestation
---------MDMClientCertAttestation
+
+
+
+## Antispyware
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antispyware
```
+
-**DeviceStatus**
-The root node for the DeviceStatus configuration service provider.
+
+
+Node for the antispyware query.
+
-**DeviceStatus/SecureBootState**
-Indicates whether secure boot is enabled. The value is one of the following values:
+
+
+
-- 0 - Not supported
-- 1 - Enabled
-- 2 - Disabled
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**DeviceStatus/CellularIdentities**
-Required. Node for queries on the SIM cards.
+
+
+
->[!NOTE]
->Multiple SIMs are supported.
+
-**DeviceStatus/CellularIdentities/***IMEI*
-The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
+
+### Antispyware/SignatureStatus
-**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
-The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Supported operation is Get.
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antispyware/SignatureStatus
+```
+
-**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
-The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
+
+
+Integer that specifies the status of the antispyware signature. Valid values:
-Supported operation is Get.
+0 - The security software reports that it is not the most recent version.
+1 - The security software reports that it is the most recent version.
+2 - Not applicable.
-**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
-Phone number associated with the specific IMEI number.
-
-Supported operation is Get.
-
-**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
-The mobile service provider or mobile operator associated with the specific IMEI number.
-
-Supported operation is Get.
-
-**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
-Indicates whether the SIM card associated with the specific IMEI number is roaming.
-
-Supported operation is Get.
-
-**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
-Boolean value that indicates compliance with the enforced enterprise roaming policy.
-
-Supported operation is Get.
-
-**DeviceStatus/NetworkIdentifiers**
-Node for queries on network and device properties.
-
-**DeviceStatus/NetworkIdentifiers/***MacAddress*
-MAC address of the wireless network card. A MAC address is present for each network card on the device.
-
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
-IPv4 address of the network card associated with the MAC address.
-
-Supported operation is Get.
-
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
-IPv6 address of the network card associated with the MAC address.
-
-Supported operation is Get.
-
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
-Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
-
-Supported operation is Get.
-
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
-Type of network connection. The value is one of the following values:
-
-- 2 - WLAN (or other Wireless interface)
-- 1 - LAN (or other Wired interface)
-- 0 - Unknown
-
-Supported operation is Get.
-
-**DeviceStatus/Compliance**
-Node for the compliance query.
-
-**DeviceStatus/Compliance/EncryptionCompliance**
-Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
-
-- 0 - Not encrypted
-- 1 - Encrypted
-
-Supported operation is Get.
-
-**DeviceStatus/TPM**
-Added in Windows, version 1607. Node for the TPM query.
-
-Supported operation is Get.
-
-**DeviceStatus/TPM/SpecificationVersion**
-Added in Windows, version 1607. String that specifies the specification version.
-
-Supported operation is Get.
-
-**DeviceStatus/OS**
-Added in Windows, version 1607. Node for the OS query.
-
-Supported operation is Get.
-
-**DeviceStatus/OS/Edition**
-Added in Windows, version 1607. String that specifies the OS edition.
-
-Supported operation is Get.
-
-**DeviceStatus/OS/Mode**
-Added in Windows, version 1803. Read only node that specifies the device mode.
-
-Valid values:
-
-- 0 - The device is in standard configuration.
-- 1 - The device is in S mode configuration.
-
-Supported operation is Get.
-
-**DeviceStatus/Antivirus**
-Added in Windows, version 1607. Node for the antivirus query.
-
-Supported operation is Get.
-
-**DeviceStatus/Antivirus/SignatureStatus**
-Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
-
-Valid values:
-
-- 0 - The security software reports that it isn't the most recent version.
-- 1 (default) - The security software reports that it's the most recent version.
-- 2 – Not applicable. It is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
-
-Supported operation is Get.
-
-If more than one antivirus provider is active, this node returns:
-
-- 1 – If every active antivirus provider has a valid signature status.
-- 0 – If any of the active antivirus providers has an invalid signature status.
-
-This node also returns 0 when no antivirus provider is active.
-
-**DeviceStatus/Antivirus/Status**
-Added in Windows, version 1607. Integer that specifies the status of the antivirus.
-
-Valid values:
-
-- 0 – Antivirus is on and monitoring.
-- 1 – Antivirus is disabled.
-- 2 – Antivirus isn't monitoring the device/PC or some options have been turned off.
-- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC.
-- 4 – Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
-
-Supported operation is Get.
-
-**DeviceStatus/Antispyware**
-Added in Windows, version 1607. Node for the anti-spyware query.
-
-Supported operation is Get.
-
-**DeviceStatus/Antispyware/SignatureStatus**
-Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
-
-Valid values:
-
-- 0 - The security software reports that it isn't the most recent version.
-- 1 - The security software reports that it's the most recent version.
-- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
-
-Supported operation is Get.
-
-If more than one anti-spyware provider is active, this node returns:
-
-- 1 – If every active anti-spyware provider has a valid signature status.
-- 0 – If any of the active anti-spyware providers has an invalid signature status.
+This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.) If more than one antispyware provider is active, this node returns: 1 - If every active antispyware provider has a valid signature status. 0 - If any of the active antispyware providers has an invalid signature status.
+
+
+
This node also returns 0 when no anti-spyware provider is active.
+
-**DeviceStatus/Antispyware/Status**
-Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
+
+**Description framework properties**:
-Valid values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 1 |
+
-- 0 - The status of the security provider category is good and doesn't need user attention.
-- 1 - The status of the security provider category isn't monitored by Windows Security.
-- 2 - The status of the security provider category is poor and the computer may be at risk.
-- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service isn't actively protecting the computer.
+
+
+
-Supported operation is Get.
+
-**DeviceStatus/Firewall**
-Added in Windows, version 1607. Node for the firewall query.
+
+### Antispyware/Status
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-**DeviceStatus/Firewall/Status**
-Added in Windows, version 1607. Integer that specifies the status of the firewall.
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antispyware/Status
+```
+
-Valid values:
+
+
+Integer that specifies the status of the antispyware. Valid values:
-- 0 – Firewall is on and monitoring.
-- 1 – Firewall has been disabled.
-- 2 – Firewall isn't monitoring all networks or some rules have been turned off.
-- 3 (default) – Firewall is temporarily not monitoring all networks.
-- 4 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
+0 - The status of the security provider category is good and does not need user attention.
+1 - The status of the security provider category is not monitored by Windows Security Center(WSC).
+2 - The status of the security provider category is poor and the computer may be at risk.
+3 - The security provider category is in snooze state.
-Supported operation is Get.
+Snooze indicates that WSC is not actively protecting the computer.
+
-**DeviceStatus/UAC**
-Added in Windows, version 1607. Node for the UAC query.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**DeviceStatus/UAC/Status**
-Added in Windows, version 1607. Integer that specifies the status of the UAC.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 3 |
+
-Supported operation is Get.
+
+
+
-**DeviceStatus/Battery**
-Added in Windows, version 1607. Node for the battery query.
+
-Supported operation is Get.
+
+## Antivirus
-**DeviceStatus/Battery/Status**
-Added in Windows, version 1607. Integer that specifies the status of the battery
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Supported operation is Get.
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antivirus
+```
+
-**DeviceStatus/Battery/EstimatedChargeRemaining**
-Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
+
+
+Node for the antivirus query.
+
-The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-**DeviceStatus/Battery/EstimatedRuntime**
-Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
-Supported operation is Get.
+
-**DeviceStatus/DomainName**
-Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string.
+
+### Antivirus/SignatureStatus
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-**DeviceStatus/DeviceGuard**
-Added in Windows, version 1709. Node for Device Guard query.
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antivirus/SignatureStatus
+```
+
-Supported operation is Get.
+
+
+Integer that specifies the status of the antivirus signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 (default) - The security software reports that it is the most recent version. 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.) If more than one antivirus provider is active, this node returns: 1 - If every active antivirus provider has a valid signature status. 0 - If any of the active antivirus providers has an invalid signature status.
+
-**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
-Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
+
+
+This node also returns 0 when no antivirus provider is active.
+
-- 0x0: System meets hardware configuration requirements
-- 0x1: SecureBoot required
-- 0x2: DMA Protection required
-- 0x4: HyperV not supported for Guest VM
-- 0x8: HyperV feature isn't available
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 1 |
+
-**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
-Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
+
+
+
-- 0 - Running
-- 1 - Reboot required
-- 2 - 64-bit architecture required
-- 3 - Not licensed
-- 4 - Not configured
-- 5 - System doesn't meet hardware requirements
-- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
+
-Supported operation is Get.
+
+### Antivirus/Status
-**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
-Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-- 0 - Running
-- 1 - Reboot required
-- 2 - Not licensed for Credential Guard
-- 3 - Not configured
-- 4 - VBS not running
+
+```Device
+./Vendor/MSFT/DeviceStatus/Antivirus/Status
+```
+
-Supported operation is Get.
+
+
+Integer that specifies the status of the antivirus. Valid values: 0 - Antivirus is on and monitoring, 1 - Antivirus is disabled, 2 - Antivirus is not monitoring the device/PC or some options have been turned off, 3 (default) - Antivirus is temporarily not completely monitoring the device/PC, 4 - Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.)
+
-**DeviceStatus/CertAttestation/MDMClientCertAttestation**
-Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields.
+
+
+
-Supported operation is Get.
+
+**Description framework properties**:
-## Related topics
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 3 |
+
-[Configuration service provider reference](index.yml)
+
+
+
+
+
+
+
+## Battery
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Battery
+```
+
+
+
+
+Node for the battery query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Battery/EstimatedChargeRemaining
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Battery/EstimatedChargeRemaining
+```
+
+
+
+
+Integer that specifies the estimated battery charge remaining. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+### Battery/EstimatedRuntime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Battery/EstimatedRuntime
+```
+
+
+
+
+Integer that specifies the estimated runtime of the battery. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+### Battery/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Battery/Status
+```
+
+
+
+
+Integer that specifies the status of the battery.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+## CellularIdentities
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities
+```
+
+
+
+
+Node for queries on the SIM cards.
+
+
+
+
+> [!NOTE]
+> Multiple SIMs are supported.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### CellularIdentities/{IMEI}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}
+```
+
+
+
+
+The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/CommercializationOperator
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/CommercializationOperator
+```
+
+
+
+
+The mobile service provider or mobile operator associated with the specific IMEI number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/ICCID
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/ICCID
+```
+
+
+
+
+The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/IMSI
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/IMSI
+```
+
+
+
+
+The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/PhoneNumber
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/PhoneNumber
+```
+
+
+
+
+Phone number associated with the specific IMEI number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/RoamingCompliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/RoamingCompliance
+```
+
+
+
+
+Boolean value that indicates compliance with the enforced enterprise roaming policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CellularIdentities/{IMEI}/RoamingStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CellularIdentities/{IMEI}/RoamingStatus
+```
+
+
+
+
+Indicates whether the SIM card associated with the specific IMEI number is roaming.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## CertAttestation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CertAttestation
+```
+
+
+
+
+Node for Certificate Attestation.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### CertAttestation/MDMClientCertAttestation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/CertAttestation/MDMClientCertAttestation
+```
+
+
+
+
+MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Compliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Compliance
+```
+
+
+
+
+Node for the compliance query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Compliance/EncryptionCompliance
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Compliance/EncryptionCompliance
+```
+
+
+
+
+Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: 0 - not encrypted, 1 - encrypted.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## DeviceGuard
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard
+```
+
+
+
+
+Node for Device Guard query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/HypervisorEnforcedCodeIntegrityStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/HypervisorEnforcedCodeIntegrityStatus
+```
+
+
+
+
+Hypervisor Enforced Code Integrity (HVCI) status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - VBS not running.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/LsaCfgCredGuardStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus
+```
+
+
+
+
+Local System Authority (LSA) credential guard status. 0 - Running, 1 - Reboot required, 2 - Not licensed for Credential Guard, 3 - Not configured, 4 - VBS not running.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/SystemGuardStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/SystemGuardStatus
+```
+
+
+
+
+System Guard status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - System doesn't meet hardware requirements.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/VirtualizationBasedSecurityHwReq
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
+```
+
+
+
+
+Virtualization-based security hardware requirement status. The value is a 256 value bitmask. 0x0: System meets hardware configuration requirements, 0x1: SecureBoot required, 0x2: DMA Protection required, 0x4: HyperV not supported for Guest VM, 0x8: HyperV feature is not available.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DeviceGuard/VirtualizationBasedSecurityStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
+```
+
+
+
+
+Virtualization-based security status. Value is one of the following: 0 - Running, 1 - Reboot required, 2 - 64 bit architecture required, 3 - not licensed, 4 - not configured, 5 - System doesn't meet hardware requirements, 42 - Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## DMA
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DMA
+```
+
+
+
+
+Node for DMA query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### DMA/BootDMAProtectionStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DMA/BootDMAProtectionStatus
+```
+
+
+
+
+Boot DMA Protection status. 1 - Enabled, 2 - Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## DomainName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/DomainName
+```
+
+
+
+
+Returns the fully qualified domain name of the device(if any).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## Firewall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Firewall
+```
+
+
+
+
+Node for the firewall query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Firewall/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/Firewall/Status
+```
+
+
+
+
+Integer that specifies the status of the firewall. Valid values: 0 - Firewall is on and monitoring, 1 - Firewall has been disabled, 2 - Firewall is not monitoring all networks or some rules have been turned off, 3 (default) - Firewall is temporarily not monitoring all networks, 4 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn't exist.)
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | 3 |
+
+
+
+
+
+
+
+
+
+## NetworkIdentifiers
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers
+```
+
+
+
+
+Node for queries on network and device properties.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### NetworkIdentifiers/{MacAddress}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}
+```
+
+
+
+
+MAC address of the wireless network card. A MAC address is present for each network card on the device.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+
+
+
+
+
+
+
+
+
+#### NetworkIdentifiers/{MacAddress}/IPAddressV4
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/IPAddressV4
+```
+
+
+
+
+IPv4 address of the network card associated with the MAC address.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### NetworkIdentifiers/{MacAddress}/IPAddressV6
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/IPAddressV6
+```
+
+
+
+
+IPv6 address of the network card associated with the MAC address.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### NetworkIdentifiers/{MacAddress}/IsConnected
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/IsConnected
+```
+
+
+
+
+Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### NetworkIdentifiers/{MacAddress}/Type
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/NetworkIdentifiers/{MacAddress}/Type
+```
+
+
+
+
+Type of network connection. The value is one of the following:
+
+2 - WLAN(or other Wireless interface)
+, 1 - LAN(or other Wired interface), 0 - Unknown.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## OS
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/OS
+```
+
+
+
+
+Node for the OS query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### OS/Edition
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/OS/Edition
+```
+
+
+
+
+String that specifies the OS edition.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+### OS/Mode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/OS/Mode
+```
+
+
+
+
+Read only node that specifies the device mode. Valid values: 0 - the device is in standard configuration, 1 - the device is in S mode configuration.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+## SecureBootState
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/SecureBootState
+```
+
+
+
+
+Indicates whether secure boot is enabled. The value is one of the following: 0 - Not supported, 1 - Enabled, 2 - Disabled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## TPM
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM
+```
+
+
+
+
+Node for the TPM query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### TPM/ManufacturerId
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM/ManufacturerId
+```
+
+
+
+
+String that specifies the TPM manufacturer ID as a number.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+### TPM/ManufacturerIdTxt
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM/ManufacturerIdTxt
+```
+
+
+
+
+String that specifies the TPM manufacturer ID as text.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+### TPM/ManufacturerVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1387] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1387] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1387] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1387] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM/ManufacturerVersion
+```
+
+
+
+
+String that specifies the manufacturer version.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+### TPM/SpecificationVersion
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/TPM/SpecificationVersion
+```
+
+
+
+
+String that specifies the specification version.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+| Default Value | Not available |
+
+
+
+
+
+
+
+
+
+## UAC
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/UAC
+```
+
+
+
+
+Node for the UAC query.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### UAC/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Vendor/MSFT/DeviceStatus/UAC/Status
+```
+
+
+
+
+Integer that specifies the status of the UAC.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index 758d3d324d..63dbac6ba7 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -1,928 +1,1201 @@
---
-title: DeviceStatus DDF
-description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+title: DeviceStatus DDF file
+description: View the XML file containing the device description framework (DDF) for the DeviceStatus configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/17/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 03/12/2018
+ms.topic: reference
---
-# DeviceStatus DDF
+
-This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML.
+# DeviceStatus DDF file
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is for Windows 10, version 1803.
+The following XML file contains the device description framework (DDF) for the DeviceStatus configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ DeviceStatus
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- DeviceStatus
- ./Vendor/MSFT
+ SecureBootState
+
+
+
+
+ Indicates whether secure boot is enabled. The value is one of the following: 0 - Not supported, 1 - Enabled, 2 - Disabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CellularIdentities
+
+
+
+
+ Node for queries on the SIM cards.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.4/MDM/DeviceStatus
-
+
+
+
+ The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
+
+
+
+
+
+
+
+
+
+ IMEI
+
+
+
+
+
+
- SecureBootState
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
+ IMSI
+
+
+
+
+ The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
+
+
+
+
+
+
+
+
+
+
+
+
+
- CellularIdentities
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IMEI
-
-
-
-
-
- IMSI
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ICCID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PhoneNumber
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CommercializationOperator
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoamingStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoamingCompliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ ICCID
+
+
+
+
+ The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
+
+
+
+
+
+
+
+
+
+
+
+
+
- NetworkIdentifiers
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MacAddress
-
-
-
-
-
- IPAddressV4
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IPAddressV6
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsConnected
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Type
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+ PhoneNumber
+
+
+
+
+ Phone number associated with the specific IMEI number.
+
+
+
+
+
+
+
+
+
+
+
+
+
- Compliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncryptionCompliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+ CommercializationOperator
+
+
+
+
+ The mobile service provider or mobile operator associated with the specific IMEI number.
+
+
+
+
+
+
+
+
+
+
+
+
+
- TPM
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SpecificationVersion
-
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+ RoamingStatus
+
+
+
+
+ Indicates whether the SIM card associated with the specific IMEI number is roaming.
+
+
+
+
+
+
+
+
+
+
+
+
+
- OS
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Edition
-
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Mode
-
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Antivirus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SignatureStatus
-
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Antispyware
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SignatureStatus
-
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Firewall
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- UAC
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Battery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EstimatedChargeRemaining
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EstimatedRuntime
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DomainName
-
-
-
-
- Returns the fully qualified domain name of the device(if any).
-
-
-
-
-
-
-
-
-
- DomainName
-
- text/plain
-
-
-
-
- DeviceGuard
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- VirtualizationBasedSecurityHwReq
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- VirtualizationBasedSecurityStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LsaCfgCredGuardStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CertAttestation
-
-
-
-
- Node for Certificate Attestation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MDMClientCertAttestation
-
-
-
-
- MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ RoamingCompliance
+
+
+
+
+ Boolean value that indicates compliance with the enforced enterprise roaming policy.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NetworkIdentifiers
+
+
+
+
+ Node for queries on network and device properties.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MAC address of the wireless network card. A MAC address is present for each network card on the device.
+
+
+
+
+
+
+
+
+
+ MacAddress
+
+
+
+
+
+
+
+
+ IPAddressV4
+
+
+
+
+ IPv4 address of the network card associated with the MAC address.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IPAddressV6
+
+
+
+
+ IPv6 address of the network card associated with the MAC address.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsConnected
+
+
+
+
+ Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type
+
+
+
+
+ Type of network connection. The value is one of the following: 2 - WLAN (or other Wireless interface), 1 - LAN (or other Wired interface), 0 - Unknown
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Compliance
+
+
+
+
+ Node for the compliance query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EncryptionCompliance
+
+
+
+
+ Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: 0 - not encrypted, 1 - encrypted
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TPM
+
+
+
+
+ Node for the TPM query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ SpecificationVersion
+
+
+
+
+ Not available
+ String that specifies the specification version.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ManufacturerId
+
+
+
+
+ Not available
+ String that specifies the TPM manufacturer ID as a number.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387
+ 1.5
+
+
+
+
+ ManufacturerIdTxt
+
+
+
+
+ Not available
+ String that specifies the TPM manufacturer ID as text.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387
+ 1.5
+
+
+
+
+ ManufacturerVersion
+
+
+
+
+ Not available
+ String that specifies the manufacturer version.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000, 10.0.19041.1387, 10.0.19042.1387, 10.0.19043.1387, 10.0.19044.1387
+ 1.5
+
+
+
+
+
+ OS
+
+
+
+
+ Node for the OS query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ Edition
+
+
+
+
+ Not available
+ String that specifies the OS edition.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Mode
+
+
+
+
+ Not available
+ Read only node that specifies the device mode. Valid values: 0 - the device is in standard configuration, 1 - the device is in S mode configuration
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.4
+
+
+
+
+
+ Antivirus
+
+
+
+
+ Node for the antivirus query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ SignatureStatus
+
+
+
+
+ 1
+ Integer that specifies the status of the antivirus signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 (default) - The security software reports that it is the most recent version. 2 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) If more than one antivirus provider is active, this node returns: 1 – If every active antivirus provider has a valid signature status. 0 – If any of the active antivirus providers has an invalid signature status.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ 3
+ Integer that specifies the status of the antivirus. Valid values: 0 – Antivirus is on and monitoring, 1 – Antivirus is disabled, 2 – Antivirus is not monitoring the device/PC or some options have been turned off, 3 (default) – Antivirus is temporarily not completely monitoring the device/PC, 4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Antispyware
+
+
+
+
+ Node for the antispyware query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ SignatureStatus
+
+
+
+
+ 1
+ Integer that specifies the status of the antispyware signature. Valid values: 0 - The security software reports that it is not the most recent version. 1 - The security software reports that it is the most recent version. 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) If more than one antispyware provider is active, this node returns: 1 – If every active antispyware provider has a valid signature status. 0 – If any of the active antispyware providers has an invalid signature status.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ 3
+ Integer that specifies the status of the antispyware. Valid values: 0 - The status of the security provider category is good and does not need user attention. 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). 2 - The status of the security provider category is poor and the computer may be at risk. 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Firewall
+
+
+
+
+ Node for the firewall query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ Status
+
+
+
+
+ 3
+ Integer that specifies the status of the firewall. Valid values: 0 – Firewall is on and monitoring, 1 – Firewall has been disabled, 2 – Firewall is not monitoring all networks or some rules have been turned off, 3 (default) – Firewall is temporarily not monitoring all networks, 4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ UAC
+
+
+
+
+ Node for the UAC query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ Status
+
+
+
+
+ Integer that specifies the status of the UAC.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Battery
+
+
+
+
+ Node for the battery query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.1
+
+
+
+ Status
+
+
+
+
+ 0
+ Integer that specifies the status of the battery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EstimatedChargeRemaining
+
+
+
+
+ 0
+ Integer that specifies the estimated battery charge remaining. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EstimatedRuntime
+
+
+
+
+ 0
+ Integer that specifies the estimated runtime of the battery. This is the value returned in BatteryLifeTime in SYSTEM_POWER_STATUS structure. The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DomainName
+
+
+
+
+ Returns the fully qualified domain name of the device(if any).
+
+
+
+
+
+
+
+
+
+ DomainName
+
+
+
+
+ 10.0.17134
+ 1.3
+
+
+
+
+ DeviceGuard
+
+
+
+
+ Node for Device Guard query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.17134
+ 1.3
+
+
+
+ VirtualizationBasedSecurityHwReq
+
+
+
+
+ Virtualization-based security hardware requirement status. The value is a 256 value bitmask. 0x0: System meets hardware configuration requirements, 0x1: SecureBoot required, 0x2: DMA Protection required, 0x4: HyperV not supported for Guest VM, 0x8: HyperV feature is not available
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ VirtualizationBasedSecurityStatus
+
+
+
+
+ Virtualization-based security status. Value is one of the following: 0 - Running, 1 - Reboot required, 2 - 64 bit architecture required, 3 - not licensed, 4 - not configured, 5 - System doesn't meet hardware requirements, 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LsaCfgCredGuardStatus
+
+
+
+
+ Local System Authority (LSA) credential guard status. 0 - Running, 1 - Reboot required, 2 - Not licensed for Credential Guard, 3 - Not configured, 4 - VBS not running
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HypervisorEnforcedCodeIntegrityStatus
+
+
+
+
+ Hypervisor Enforced Code Integrity (HVCI) status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - VBS not running
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+
+ SystemGuardStatus
+
+
+
+
+ System Guard status. 0 - Running, 1 - Reboot required, 2 - Not configured, 3 - System doesn't meet hardware requirements
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+
+
+ DMA
+
+
+
+
+ Node for DMA query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22000
+ 1.5
+
+
+
+ BootDMAProtectionStatus
+
+
+
+
+ Boot DMA Protection status. 1 - Enabled, 2 - Disabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CertAttestation
+
+
+
+
+ Node for Certificate Attestation
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.22621, 10.0.22000.1165
+ 1.5
+
+
+
+ MDMClientCertAttestation
+
+
+
+
+ MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
+
+## Related articles
+
+[DeviceStatus configuration service provider reference](devicestatus-csp.md)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 6ab8b5a7a4..d93de365bb 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -4,7 +4,7 @@ description: Learn more about the Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/17/2023
+ms.date: 02/17/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -344,7 +344,7 @@ Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX f
-Setting Type of Win32 App. Policy Or Preference
+Setting Type of Win32 App. Policy Or Preference.
@@ -384,7 +384,7 @@ Setting Type of Win32 App. Policy Or Preference
-Unique ID of ADMX file
+Unique ID of ADMX file.
@@ -424,7 +424,7 @@ Unique ID of ADMX file
-Properties of Win32 App ADMX Ingestion
+Properties of Win32 App ADMX Ingestion.
@@ -463,7 +463,7 @@ Properties of Win32 App ADMX Ingestion
-Setting Type of Win32 App. Policy Or Preference
+Setting Type of Win32 App. Policy Or Preference.
@@ -503,7 +503,7 @@ Setting Type of Win32 App. Policy Or Preference
-Unique ID of ADMX file
+Unique ID of ADMX file.
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index a9748e5429..42ddd6a7a1 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -678,7 +678,7 @@ items:
- name: DeviceStatus
href: devicestatus-csp.md
items:
- - name: DeviceStatus DDF
+ - name: DeviceStatus DDF file
href: devicestatus-ddf.md
- name: DevInfo
href: devinfo-csp.md
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 608de35b94..d800c801ee 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -214,14 +214,12 @@ Initiates remote installation of Application Guard feature.
Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
-| Value | Description |
-|:--|:--|
-| Bit 0 | Set to 1 when Application Guard is enabled into enterprise manage mode |
-| Bit 1 | Set to 1 when the client machine is Hyper-V capable |
-| Bit 2 | Reserved for Microsoft |
-| Bit 3 | Set to 1 when Application Guard is installed on the client machine |
-| Bit 4 | Reserved for Microsoft |
-| Bit 5 | Set to 1 when the client machine meets minimum hardware requirements |
+Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
+Bit 1 - Set to 1 when the client machine is Hyper-V capable.
+Bit 2 - Reserved for Microsoft.
+Bit 3 - Set to 1 when Application Guard is installed on the client machine.
+Bit 4 - Reserved for Microsoft.
+Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
@@ -949,15 +947,13 @@ This policy setting allows you to determine whether users can elect to download
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device.
-| Value | Description |
-|:--|:--|
-| Bit 0 | Set to 1 when Application Guard is enabled into enterprise manage mode |
-| Bit 1 | Set to 1 when the client machine is Hyper-V capable |
-| Bit 2 | Set to 1 when the client machine has a valid OS license and SKU |
-| Bit 3 | Set to 1 when Application Guard installed on the client machine |
-| Bit 4 | Set to 1 when required Network Isolation Policies are configured |
-| Bit 5 | Set to 1 when the client machine meets minimum hardware requirements |
-| Bit 6 | Set to 1 when system reboot is required |
+Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
+Bit 1 - Set to 1 when the client machine is Hyper-V capable.
+Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
+Bit 3 - Set to 1 when Application Guard installed on the client machine.
+Bit 4 - Set to 1 when required Network Isolation Policies are configured.
+Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
+Bit 6 - Set to 1 when system reboot is required.
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index bc298214e5..8cef0fa4ad 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the WiredNetwork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 02/16/2023
+ms.date: 02/17/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -91,7 +91,7 @@ Enable block period (minutes), used to specify the duration for which automatic
-XML describing the wired network configuration and follows the LAN_profile schemas .
+XML describing the wired network configuration and follows the LAN_profile schemas
@@ -170,7 +170,7 @@ Enable block period (minutes), used to specify the duration for which automatic
-XML describing the wired network configuration and follows the LAN_profile schemas .
+XML describing the wired network configuration and follows the LAN_profile schemas