The root node for the EnterpriseAPN configuration service provider.
+The root node for the EnterpriseAPN configuration service provider. **EnterpriseAPN/***ConnectionName* -Name of the connection as seen by Windows Connection Manager.
+Name of the connection as seen by Windows Connection Manager. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/APNName** -Enterprise APN name.
+Enterprise APN name. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/IPType** -This value can be one of the following values:
+This value can be one of the following: -- IPv4 - only IPV4 connection type -- IPv6 - only IPv6 connection type -- IPv4v6 (default)- IPv4 and IPv6 concurrently. -- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat +- IPv4 - only IPV4 connection type. +- IPv6 - only IPv6 connection type. +- IPv4v6 (default)- IPv4 and IPv6 concurrently. +- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/IsAttachAPN** -Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.
+Boolean value that indicates whether this APN should be requested as part of an LTE Attach. -Supported operations are Add, Get, Delete, and Replace.
+Default value is false. + +Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/ClassId** -GUID that defines the APN class to the modem. This GUID is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.
+GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/AuthType** -Authentication type. This value can be one of the following values:
+Authentication type. This value can be one of the following: -- None (default) -- Auto -- PAP -- CHAP -- MSCHAPv2 +- None (default) +- Auto +- PAP +- CHAP +- MSCHAPv2 -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/UserName** -User name for use with PAP, CHAP, or MSCHAPv2 authentication.
+User name for use with PAP, CHAP, or MSCHAPv2 authentication. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/Password** -Password corresponding to the username.
+Password corresponding to the username. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/IccId** -Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
+Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/AlwaysOn** -Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
+Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available. -The default value is true.
+The default value is true. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/Enabled** -Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
+Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled. -The default value is true.
+The default value is true. -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/*ConnectionName*/Roaming** -Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:
+Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values are: -Default is 1 (all roaming allowed).
+Default is 1 (all roaming allowed). -Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string. +Supported operations are Add, Get, Delete, and Replace. **EnterpriseAPN/Settings** -Added in Windows 10, version 1607. Node that contains global settings.
+Added in Windows 10, version 1607. Node that contains global settings. **EnterpriseAPN/Settings/AllowUserControl** -Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
+Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN. -The default value is false.
+The default value is false. -Supported operations are Get and Replace.
+Supported operations are Get and Replace. **EnterpriseAPN/Settings/HideView** -Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
+Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true. -The default value is false.
+The default value is false. -Supported operations are Get and Replace.
+Supported operations are Get and Replace. ## Examples @@ -290,15 +298,4 @@ atomicZ ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md deleted file mode 100644 index b59fc137e1..0000000000 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ /dev/null @@ -1,534 +0,0 @@ ---- -title: EnterpriseAppManagement CSP -description: Handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP). -ms.assetid: 698b8bf4-652e-474b-97e4-381031357623 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: dansimp -ms.date: 06/26/2017 ---- - -# EnterpriseAppManagement CSP - - -The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment. - -> [!NOTE] -> The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core. - - -The following example shows the EnterpriseAppManagement configuration service provider in tree format. - -```console -./Vendor/MSFT -EnterpriseAppManagement -----EnterpriseID ---------EnrollmentToken ---------StoreProductID ---------StoreUri ---------CertificateSearchCriteria ---------Status ---------CRLCheck ---------EnterpriseApps -------------Inventory -----------------ProductID ---------------------Version ---------------------Title ---------------------Publisher ---------------------InstallDate -------------Download -----------------ProductID ---------------------Version ---------------------Name ---------------------URL ---------------------Status ---------------------LastError ---------------------LastErrorDesc ---------------------DownloadInstall -``` - -***EnterpriseID*** -Optional. A dynamic node that represents the EnterpriseID as a GUID. It's used to enroll or unenroll enterprise applications. - -Supported operations are Add, Delete, and Get. - -***EnterpriseID*/EnrollmentToken** -Required. Used to install or update the binary representation of the application enrollment token (AET) and initiate "phone home" token validation. Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -***EnterpriseID*/StoreProductID** -Required. The node to host the ProductId node. Scope is dynamic. - -Supported operation is Get. - -**/StoreProductID/ProductId** -The character string that contains the ID of the first enterprise application (usually a Company Hub app), which is automatically installed on the device. Scope is dynamic. - -Supported operations are Get and Add. - -***EnterpriseID*/StoreUri** -Optional. The character string that contains the URI of the first enterprise application to be installed on the device. The enrollment client downloads and installs the application from this URI. Scope is dynamic. - -Supported operations are Get and Add. - -***EnterpriseID*/CertificateSearchCriteria** -Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](/windows/win32/api/wincrypt/nf-wincrypt-certstrtonamea) function. This search parameter is case sensitive. Scope is dynamic. - -Supported operations are Get and Add. - -> [!NOTE] -> Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00 - - - -***EnterpriseID*/Status** -Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic. - -Supported operation is Get. - -***EnterpriseID*/CRLCheck** -Optional. Character value that specifies whether the device should do a CRL check when using a certificate to authenticate the server. Valid values are "1" (CRL check required), "0" (CRL check not required). Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -***EnterpriseID*/EnterpriseApps** -Required. The root node to for individual enterprise application related settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider). - -Supported operation is Get. - -**/EnterpriseApps/Inventory** -Required. The root node for individual enterprise application inventory settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider). - -Supported operation is Get. - -**/Inventory/***ProductID* -Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic. - -Supported operation is Get. - -**/Inventory/*ProductID*/Version** -Required. The character string that contains the current version of the installed enterprise application. Scope is dynamic. - -Supported operation is Get. - -**/Inventory/*ProductID*/Title** -Required. The character string that contains the name of the installed enterprise application. Scope is dynamic. - -Supported operation is Get. - -**/Inventory/*ProductID*/Publisher** -Required. The character string that contains the name of the publisher of the installed enterprise application. Scope is dynamic. - -Supported operation is Get. - -**/Inventory/*ProductID*/InstallDate** -Required. The time (in the character format YYYY-MM-DD-HH:MM:SS) that the application was installed or updated. Scope is dynamic. - -Supported operation is Get. - -**/EnterpriseApps/Download** -Required. This node groups application download-related parameters. The enterprise server can only automatically update currently installed enterprise applications. The end user controls which enterprise applications to download and install. Scope is dynamic. - -Supported operation is Get. - -**/Download/***ProductID* -Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -**/Download/*ProductID*/Version** -Optional. The character string that contains version information (set by the caller) for the application currently being downloaded. Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -**/Download/*ProductID*/Name** -Required. The character string that contains the name of the installed application. Scope is dynamic. - -Supported operation is Get. - -**/Download/*ProductID*/URL** -Optional. The character string that contains the URL for the updated version of the installed application. The device will download application updates from this link. Scope is dynamic. - -Supported operations are Get, Add, and Replace. - -**/Download/*ProductID*/Status** -Required. The integer value that indicates the status of the current download process. The following table shows the possible values. - -|Value|Description| -|--- |--- | -|0: CONFIRM|Waiting for confirmation from user.| -|1: QUEUED|Waiting for download to start.| -|2: DOWNLOADING|In the process of downloading.| -|3: DOWNLOADED|Waiting for installation to start.| -|4: INSTALLING|Handed off for installation.| -|5: INSTALLED|Successfully installed| -|6: FAILED|Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)| -|7:DOWNLOAD_FAILED|Unable to connect to server, file doesn't exist, etc.| - -Scope is dynamic. Supported operations are Get, Add, and Replace. - -**/Download/*ProductID*/LastError** -Required. The integer value that indicates the HRESULT of the last error code. If there are no errors, the value is 0 (S\_OK). Scope is dynamic. - -Supported operation is Get. - -**/Download/*ProductID*/LastErrorDesc** -Required. The character string that contains the human readable description of the last error code. - -**/Download/*ProductID*/DownloadInstall** -Required. The node to allow the server to trigger the download and installation for an updated version of the user installed application. The format for this node is null. The server must query the device later to determine the status. For each product ID, the status field is retained for up to one week. Scope is dynamic. - -Supported operation is Exec. - -## Remarks - - -### Install and Update Line of Business (LOB) applications - -A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support various file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section. - -### Uninstall Line of Business (LOB) applications - -A workplace can also remotely uninstall Line of Business applications on the device. It's not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that aren't installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section. - -### Query installed Store application - -You can determine if a Store application is installed on a system. First, you need the Store application GUID. You can get the Store application GUID by going to the URL for the Store application. - -The Microsoft Store application has a GUID of d5dc1ebb-a7f1-df11-9264-00237de2db9e. - -Use the following SyncML format to query to see if the application is installed on a managed device: - -```xml -Root node for the EnterpriseAppVManagement configuration service provider.
+Root node for the EnterpriseAppVManagement configuration service provider. **AppVPackageManagement** -Used to query App-V package information (post-publish).
+Used to query App-V package information (post-publish). **AppVPackageManagement/EnterpriseID** -Used to query package information. Value is always "HostedInstall".
+Used to query package information. Value is always "HostedInstall". **AppVPackageManagement/EnterpriseID/PackageFamilyName** -Package ID of the published App-V package.
+Package ID of the published App-V package. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*** -Version ID of the published App-V package.
+Version ID of the published App-V package. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name** -Name specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Name specified in the published AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version** -Version specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Version specified in the published AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher** -Publisher as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Publisher as specified in the published asset information of the AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation** -Local package path specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Local package path specified in the published asset information of the AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate** -Date the app was installed, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Date the app was installed, as specified in the published asset information of the AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users** -Registered users for app, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Registered users for app, as specified in the published asset information of the AppV package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId** -Package ID of the published App-V package.
-Value type is string. Supported operation is Get.
+ Package ID of the published App-V package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId** -Version ID of the published App-V package.
-Value type is string. Supported operation is Get.
+Version ID of the published App-V package. + +Value type is string. + +Supported operation is Get. **AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri** -Package URI of the published App-V package.
-Value type is string. Supported operation is Get.
+Package URI of the published App-V package. + +Value type is string. + +Supported operation is Get. **AppVPublishing** -Used to monitor publishing operations on App-V.
+Used to monitor publishing operations on App-V. **AppVPublishing/LastSync** -Used to monitor publishing status of last sync operation.
+Used to monitor publishing status of last sync operation. **AppVPublishing/LastSync/LastError** -Error code and error description of last sync operation.
-Value type is string. Supported operation is Get.
+Error code and error description of last sync operation. + +Value type is string. + +Supported operation is Get. **AppVPublishing/LastSync/LastErrorDescription** -Last sync error status. One of the following values may be returned:
+Last sync error status. One of the following values may be returned: - SYNC\_ERR_NONE (0) - No errors during publish. - SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish. @@ -116,10 +156,12 @@ EnterpriseAppVManagement - SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish. - SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish. -Value type is string. Supported operation is Get.
+Value type is string. + +Supported operation is Get. **AppVPublishing/LastSync/SyncStatusDescription** -Latest sync in-progress stage. One of the following values may be returned:
+Latest sync in-progress stage. One of the following values may be returned: - SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle. - SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress. @@ -127,9 +169,12 @@ EnterpriseAppVManagement - SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress. - SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress. -Value type is string. Supported operation is Get.
+Value type is string. -AppVPublishing/LastSync/SyncProgressLatest sync state. One of the following values may be returned:
+Supported operation is Get. + +**AppVPublishing/LastSync/SyncProgress** +Latest sync state. One of the following values may be returned: - SYNC\_STATUS_IDLE (0) - App-V Sync is idle. - SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing. @@ -137,22 +182,30 @@ EnterpriseAppVManagement - SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete. - SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot. -Value type is string. Supported operation is Get.
+Value type is string. + +Supported operation is Get. **AppVPublishing/Sync** -Used to perform App-V synchronization.
+Used to perform App-V synchronization. **AppVPublishing/Sync/PublishXML** -Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.
-Supported operations are Get, Delete, and Execute.
- +Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol,, see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8). +Supported operations are Get, Delete, and Execute. **AppVDynamicPolicy** -Used to set App-V Policy Configuration documents for publishing packages.
+Used to set App-V Policy Configuration documents for publishing packages. **AppVDynamicPolicy/*ConfigurationId*** -ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
+ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document). **AppVDynamicPolicy/*ConfigurationId*/Policy** -XML for App-V Policy Configuration documents for publishing packages.
-Value type is xml. Supported operations are Add, Get, Delete, and Replace.
\ No newline at end of file +XML for App-V Policy Configuration documents for publishing packages. + +Value type is xml. + +Supported operations are Add, Get, Delete, and Replace. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index d8ec6f71d5..a83cfc02b3 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseDataProtection CSP -description: The EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. +description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 ms.reviewer: manager: dansimp @@ -14,20 +14,27 @@ ms.date: 08/09/2017 # EnterpriseDataProtection CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). > [!Note] > To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). -> - This CSP was added in Windows 10, version 1607. - - While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). To learn more about WIP, see the following articles: -- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy) -- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip) +- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip) The following example shows the EnterpriseDataProtection CSP in tree format. @@ -53,19 +60,22 @@ The root node for the CSP. The root node for the Windows Information Protection (WIP) configuration settings. **Settings/EDPEnforcementLevel** -Set the WIP enforcement level. Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. +Set the WIP enforcement level. + +> [!Note] +> Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. The following list shows the supported values: -- 0 (default) – Off / No protection (decrypts previously protected data). -- 1 – Silent mode (encrypt and audit only). -- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). -- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit). +- 0 (default) – Off / No protection (decrypts previously protected data). +- 1 – Silent mode (encrypt and audit only). +- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). +- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit). Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames** -A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. +A list of domains used by the enterprise for its user identities separated by pipes ("|"). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client. @@ -75,9 +85,9 @@ Changing the primary enterprise ID isn't supported and may cause unexpected beha Here are the steps to create canonical domain names: -1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. -2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. -3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0). +1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. +2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. +3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0). Supported operations are Add, Get, Replace, and Delete. Value type is string. @@ -89,8 +99,8 @@ Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the us The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed. +- 1 (default) – Allowed. Most restricted value is 0. @@ -235,16 +245,16 @@ This policy controls whether to revoke the WIP keys when a device unenrolls from The following list shows the supported values: -- 0 – Don't revoke keys. -- 1 (default) – Revoke keys. +- 0 – Don't revoke keys. +- 1 (default) – Revoke keys. Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. -- 0 - Don't revoke keys -- 1 (default) - Revoke keys +- 0 - Don't revoke keys. +- 1 (default) - Revoke keys. Supported operations are Add, Get, Replace, and Delete. Value type is integer. @@ -256,13 +266,13 @@ Supported operations are Add, Get, Replace, and Delete. Value type is string (GU **Settings/AllowAzureRMSForEDP** Specifies whether to allow Azure RMS encryption for WIP. -- 0 (default) – Don't use RMS. -- 1 – Use RMS. +- 0 (default) – Don't use RMS. +- 1 – Use RMS. Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. +Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list. When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. Supported operations are Add, Get, Replace and Delete. Value type is string. @@ -270,8 +280,8 @@ Supported operations are Add, Get, Replace and Delete. Value type is string. Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. The following list shows the supported values: -- 0 (default) - No WIP overlays on icons or tiles. -- 1 - Show WIP overlays on protected files and apps that can only create enterprise content. +- 0 (default) - No WIP overlays on icons or tiles. +- 1 - Show WIP overlays on protected files and apps that can only create enterprise content. Supported operations are Add, Get, Replace, and Delete. Value type is integer. @@ -284,25 +294,26 @@ Suggested values: |--- |--- |--- |--- |--- | |4|3|2|1|0| - - Bit 0 indicates whether WIP is on or off. Bit 1 indicates whether AppLocker WIP policies are set. Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero). -Here's the list of mandatory WIP policies: +Here's the list of mandatory WIP policies: -- EDPEnforcementLevel in EnterpriseDataProtection CSP -- DataRecoveryCertificate in EnterpriseDataProtection CSP -- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP -- NetworkIsolation/EnterpriseIPRange in Policy CSP -- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP +- EDPEnforcementLevel in EnterpriseDataProtection CSP +- DataRecoveryCertificate in EnterpriseDataProtection CSP +- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP +- NetworkIsolation/EnterpriseIPRange in Policy CSP +- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP Bits 2 and 4 are reserved for future use. Supported operation is Get. Value type is integer. - +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) + diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 13aead751f..b7c829d77b 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseDesktopAppManagement CSP -description: The EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications. +description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications. ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 ms.reviewer: manager: dansimp @@ -14,6 +14,15 @@ ms.date: 07/11/2017 # EnterpriseDesktopAppManagement CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. @@ -96,8 +105,6 @@ Status of the application. Value type is string. Supported operation is Get. | Enforcement Failed | 60 | | Enforcement Completed | 70 | - - **MSI/*ProductID*/LastError** The last error code during the application installation process. This error code is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this error could be the result of executing MSIExec.exe or the error result from an API that failed. @@ -116,10 +123,8 @@ Added in the March service release of Windows 10, version 1607. A gateway (or de Value type is string. Supported operation is Get. - ## Examples - **SyncML to request CSP version information** ```xml @@ -146,9 +151,7 @@ The following table describes the fields in the previous sample: | CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | | LocURI | Path to Win32 CSP command processor. | - - -**SyncML to perform MSI operations for application uninstall** +**SyncML to perform MSI operations for application uninstall:** ```xmlRoot node for the Firewall configuration service provider.
+Root node for the Firewall configuration service provider. **MdmStore** -Interior node.
-Supported operation is Get.
+Interior node. +Supported operation is Get. **MdmStore/Global** -Interior node.
-Supported operations are Get.
+Interior node. +Supported operations are Get. **MdmStore/Global/PolicyVersionSupported** -Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.
-Value type in integer. Supported operation is Get.
+Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build. +Value type in integer. Supported operation is Get. **MdmStore/Global/CurrentProfiles** -Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.
-Value type in integer. Supported operation is Get.
+Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law. +Value type in integer. Supported operation is Get. **MdmStore/Global/DisableStatefulFtp** -Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
-Default value is false.
-Data type is bool. Supported operations are Add, Get, Replace, and Delete.
+Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win. +Default value is false. + +Data type is bool. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/SaIdleTime** -This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
-Default value is 300.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. +Default value is 300. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/PresharedKeyEncoding** -Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
-Default value is 1.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. +Default value is 1. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/IPsecExempt** -This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. +Default value is 0. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/CRLcheck** -This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued: + +- 0 disables CRL checking +- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail. +- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing + +Default value is 0. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/PolicyVersion** -This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.
-Value type is string. Supported operation is Get.
+This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law. +Value type is string. Supported operation is Get. **MdmStore/Global/BinaryVersionSupported** -This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
-Value type is string. Supported operation is Get.
+This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. +Value type is string. Supported operation is Get. **MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Boolean value. Supported operations are Add, Get, Replace, and Delete.
+This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. +Boolean value. Supported operations are Add, Get, Replace, and Delete. **MdmStore/Global/EnablePacketQueue** -This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
+This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values: -Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Default value is 0. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **MdmStore/DomainProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get. **MdmStore/PrivateProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get. **MdmStore/PublicProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get. **/EnableFirewall** -Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is true. +Value type is bool. Supported operations are Add, Get and Replace. **/DisableStealthMode** -Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is false. +Value type is bool. Supported operations are Add, Get and Replace. **/Shielded** -Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
-Default value is false.
-Value type is bool. Supported operations are Get and Replace.
+Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win. +Default value is false. + +Value type is bool. Supported operations are Get and Replace. **/DisableUnicastResponsesToMulticastBroadcast** -Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is false. +Value type is bool. Supported operations are Add, Get and Replace. **/DisableInboundNotifications** -Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is false. +Value type is bool. Supported operations are Add, Get and Replace. **/AuthAppsAllowUserPrefMerge** -Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is true. +Value type is bool. Supported operations are Add, Get and Replace. **/GlobalPortsAllowUserPrefMerge** -Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. +Default value is true. +Value type is bool. Supported operations are Add, Get and Replace. **/AllowLocalPolicyMerge** -Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/AllowLocalIpsecPolicyMerge** -Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. +Default value is true. + +Value type is bool. Supported operations are Add, Get and Replace. **/DefaultOutboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.
-Default value is 0 (allow).
-Value type is integer. Supported operations are Add, Get and Replace.
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block. + +- 0x00000000 - allow +- 0x00000001 - block + +Default value is 0 (allow). +Value type is integer. Supported operations are Add, Get and Replace. Sample syncxml to provision the firewall settings to evaluate @@ -261,163 +276,168 @@ Sample syncxml to provision the firewall settings to evaluateThis value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.
-Default value is 1 (block).
-Value type is integer. Supported operations are Add, Get and Replace.
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used. + +- 0x00000000 - allow +- 0x00000001 - block + +Default value is 1 (block). +Value type is integer. Supported operations are Add, Get and Replace. **/DisableStealthModeIpsecSecuredPacketExemption** -Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. +Default value is true. +Value type is bool. Supported operations are Add, Get and Replace. **FirewallRules** -A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. **FirewallRules/_FirewallRuleName_** -Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
-Supported operations are Add, Get, Replace, and Delete.
+Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). +Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App** -Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
-If not specified, the default is All.
-Supported operation is Get.
+Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes: + +- PackageFamilyName +- FilePath +- FQBN +- ServiceName + +If not specified, the default is All. +Supported operation is Get. **FirewallRules/_FirewallRuleName_/App/PackageFamilyName** -This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App/FilePath** -This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App/Fqbn** -Fully Qualified Binary Name
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Fully Qualified Binary Name +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/App/ServiceName** -This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/Protocol** -0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-If not specified, the default is All.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+0-255 number representing the ip protocol (TCP = 6, UDP = 17) +If not specified, the default is All. +Value type is integer. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/LocalPortRanges** -Comma separated list of ranges. For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges. For example, 100-120,200,300-320. +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/RemotePortRanges** -Comma separated list of ranges, For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges, For example, 100-120,200,300-320. +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/*FirewallRuleName*/LocalAddressRanges** -Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include: + +- "*" indicates any local address. If present, the local address must be the only token included. +- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv6 address. +- An IPv4 address range in the format of "start address - end address" with no spaces included. +- An IPv6 address range in the format of "start address - end address" with no spaces included. + +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/*FirewallRuleName*/RemoteAddressRanges** -List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
-The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
+List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: + +- "*" indicates any remote address. If present, the address must be the only token included. +- "Defaultgateway" +- "DHCP" +- "DNS" +- "WINS" +- "Intranet" +- "RmtIntranet" +- "Internet" +- "Ply2Renders" +- "LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive. +- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +- A valid IPv6 address. +- An IPv4 address range in the format of "start address - end address" with no spaces included. +- An IPv6 address range in the format of "start address - end address" with no spaces included. + +If not specified, the default is All. +Value type is string. Supported operations are Add, Get, Replace, and Delete. +The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later. **FirewallRules/_FirewallRuleName_/Description** -Specifies the description of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the description of the rule. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/Enabled** -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -
If not specified - a new rule is enabled by default.
-Boolean value. Supported operations are Get and Replace.
+Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is enabled by default. +Boolean value. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/Profiles** -Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
-If not specified, the default is All.
-Value type is integer. Supported operations are Get and Replace.
+Specifies the profiles to which the rule belongs: Domain, Private, or Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. +If not specified, the default is All. +Value type is integer. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/Action** -Specifies the action for the rule.
-Supported operation is Get.
+Specifies the action for the rule. +Supported operation is Get. **FirewallRules/_FirewallRuleName_/Action/Type** -Specifies the action the rule enforces. Supported values:
-If not specified, the default is allow.
-Value type is integer. Supported operations are Get and Replace.
+Specifies the action the rule enforces. Supported values: + +- 0 - Block +- 1 - Allow + +If not specified, the default is allow. +Value type is integer. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/Direction** -The rule is enabled based on the traffic direction as following. Supported values:
-Value type is string. Supported operations are Get and Replace.
+The rule is enabled based on the traffic direction as following. Supported values: + +- IN - the rule applies to inbound traffic. +- OUT - the rule applies to outbound traffic. +- If not specified, the default is Out. + +Value type is string. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/InterfaceTypes** -Comma separated list of interface types. Valid values:
-If not specified, the default is All.
-Value type is string. Supported operations are Get and Replace.
+Comma separated list of interface types. Valid values: + +- RemoteAccess +- Wireless +- Lan + +If not specified, the default is All. +Value type is string. Supported operations are Get and Replace. **FirewallRules/_FirewallRuleName_/EdgeTraversal** -Indicates whether edge traversal is enabled or disabled for this rule.
-The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
-New rules have the EdgeTraversal property disabled by default.
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+Indicates whether edge traversal is enabled or disabled for this rule. +The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. +New rules have the EdgeTraversal property disabled by default. +Value type is bool. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format. +Value type is string. Supported operations are Add, Get, Replace, and Delete. **FirewallRules/_FirewallRuleName_/Status** -Provides information about the specific version of the rule in deployment for monitoring purposes.
-Value type is string. Supported operation is Get.
+Provides information about the specific version of the rule in deployment for monitoring purposes. +Value type is string. Supported operation is Get. **FirewallRules/_FirewallRuleName_/Name** -Name of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Name of the rule. +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 4933026bdc..e9f9d1928d 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -14,14 +14,24 @@ ms.date: # Device HealthAttestation CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. The following list is a description of the functions performed by the Device HealthAttestation CSP: -- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device -- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) -- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device -- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) +- Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device +- Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) +- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device +- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) ## Windows 11 Device health attestation @@ -63,6 +73,7 @@ Attestation flow can be broadly in three main steps: For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol). ### Configuration Service Provider Nodes + Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service. ```console @@ -249,7 +260,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo ``` > [!NOTE] -> > MAA CSP nodes are available on arm64 but isn't currently supported. +> MAA CSP nodes are available on arm64 but isn't currently supported. ### MAA CSP Integration Steps @@ -574,12 +585,12 @@ Provides the current status of the device health request. The supported operation is Get. -The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes. +The following list shows some examples of supported values. For the complete list of status, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). -- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service -- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device -- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes -- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup +- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service +- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device +- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes +- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup **ForceRetrieve** (Optional) @@ -623,14 +634,14 @@ Value type is integer. The supported operation is Get. The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM): -1. [Verify HTTPS access](#verify-access) -2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service) -3. [Instruct client to prepare DHA-data for verification](#prepare-health-data) -4. [Take action based on the clients response](#take-action-client-response) -5. [Instruct the client to forward DHA-data for verification](#forward-health-attestation) -6. [Post DHA-data to DHA-service](#forward-data-to-has) -7. [Receive response from DHA-service](#receive-has-response) -8. [Parse DHA-Report data. Take appropriate policy action based on evaluation results](#take-policy-action) +1. [Verify HTTPS access](#verify-access) +2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service) +3. [Instruct client to prepare DHA-data for verification](#prepare-health-data) +4. [Take action based on the clients response](#take-action-client-response) +5. [Instruct the client to forward DHA-data for verification](#forward-health-attestation) +6. [Post DHA-data to DHA-service](#forward-data-to-has) +7. [Receive response from DHA-service](#receive-has-response) +8. [Parse DHA-Report data. Take appropriate policy action based on evaluation results](#take-policy-action) Each step is described in detail in the following sections of this topic. @@ -688,6 +699,7 @@ SSL-Session: ### Step 2: Assign an enterprise trusted DHA-Service There are three types of DHA-Service: + - Device Health Attestation – Cloud (owned and operated by Microsoft) - Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises) - Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud) @@ -738,7 +750,6 @@ The following example shows a sample call that triggers collection and verificat ### Step 4: Take action based on the client's response - After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. - If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section. @@ -762,11 +773,11 @@ Here's a sample alert that is issued by DHA_CSP: ``` + - If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). ### Step 5: Instruct the client to forward health attestation data for verification - Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. Here's an example: @@ -823,24 +834,24 @@ When the MDM-Server receives the above data, it must: - Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on: - - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3 - - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3 - + - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: [https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3) + - DHA-OnPrem or DHA-EMC: [https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3](https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3) ### Step 7: Receive response from the DHA-service When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps: + - Decrypts the encrypted data it receives. -- Validates the data it has received -- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format +- Validates the data it has received. +- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format. ### Step 8: Take appropriate policy action based on evaluation results After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be: -- Allow the device access. -- Allow the device to access the resources, but flag the device for further investigation. -- Prevent a device from accessing resources. +- Allow the device access. +- Allow the device to access the resources, but flag the device for further investigation. +- Prevent a device from accessing resources. The following list of data points is verified by the DHA-Service in DHA-Report version 3: @@ -890,8 +901,8 @@ If AIKPresent = True (1), then allow access. If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets +- Disallow all access. +- Disallow access to HBI assets. - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. @@ -911,21 +922,21 @@ Data Execution Prevention (DEP) Policy defines a set of hardware and software te DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script: -- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** -- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** +- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** +- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** If DEPPolicy = 1 (On), then allow access. If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. +- Disallow all access. +- Disallow access to HBI assets. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) -When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. +When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen. @@ -935,10 +946,10 @@ If BitLockerStatus = 1 (On), then allow access. If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. +- Disallow all access. +- Disallow access to HBI assets. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** @@ -946,12 +957,12 @@ This attribute indicates the version of the Boot Manager that is running on the If BootManagerRevListVersion = [CurrentVersion], then allow access. -If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: +If `BootManagerRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI and MBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI and MBI assets. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion** @@ -959,12 +970,12 @@ This attribute indicates the version of the code that is performing integrity ch If CodeIntegrityRevListVersion = [CurrentVersion], then allow access. -If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: +If `CodeIntegrityRevListVersion !`= [CurrentVersion], then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI and MBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI and MBI assets. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled** @@ -974,10 +985,10 @@ If SecureBootEnabled = 1 (True), then allow access. If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. +- Disallow all access. +- Disallow access to HBI assets. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** @@ -985,17 +996,17 @@ Boot debug-enabled points to a device that is used in development and testing. D Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script: -- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** -- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** +- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**. +- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**. If BootdebuggingEnabled = 0 (False), then allow access. If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. +- Disallow all access. +- Disallow access to HBI assets. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled** @@ -1005,10 +1016,10 @@ If OSKernelDebuggingEnabled = 0 (False), then allow access. If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI assets. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled** @@ -1022,10 +1033,10 @@ If CodeIntegrityEnabled = 1 (True), then allow access. If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. +- Disallow all access. +- Disallow access to HBI assets. +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** @@ -1033,17 +1044,17 @@ When test signing is enabled, the device doesn't enforce signature validation du Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script: -- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** -- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** +- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**. +- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**. If TestSigningEnabled = 0 (False), then allow access. If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI and MBI assets -- Place the device in a watch list to monitor the device more closely for potential risks. -- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. +- Disallow all access. +- Disallow access to HBI and MBI assets. +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode** @@ -1053,9 +1064,9 @@ If SafeMode = 0 (False), then allow access. If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI assets. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **WinPE** @@ -1067,7 +1078,7 @@ If WinPE = 1 (True), then limit access to remote resources that are required for **ELAMDriverLoaded** (Windows Defender) -To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. +To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot. @@ -1077,9 +1088,9 @@ If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI assets. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **Bcdedit.exe /set {current} vsmlaunchtype auto** @@ -1087,9 +1098,9 @@ If ELAMDriverLoaded = 1 (True), then allow access. If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets -- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. +- Disallow all access. +- Disallow access to HBI assets. +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** @@ -1102,8 +1113,8 @@ VSM can be enabled by using the following command in WMI or a PowerShell script: If VSMEnabled = 1 (True), then allow access. If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Disallow access to HBI assets +- Disallow all access. +- Disallow access to HBI assets. - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue **PCRHashAlgorithmID** @@ -1118,7 +1129,7 @@ If reported BootAppSVN equals an accepted value, then allow access. If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Direct the device to an enterprise honeypot, to further monitor the device's activities. **BootManagerSVN** @@ -1129,7 +1140,7 @@ If reported BootManagerSVN equals an accepted value, then allow access. If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Direct the device to an enterprise honeypot, to further monitor the device's activities. **TPMVersion** @@ -1153,13 +1164,12 @@ The measurement that is captured in PCR[0] typically represents a consistent vie Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison. If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action. - If PCR[0] equals an accepted allowlist value, then allow access. If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies: -- Disallow all access -- Direct the device to an enterprise honeypot, to further monitor the device's activities. +- Disallow all access. +- Direct the device to an enterprise honeypot, to further monitor the device's activities. **SBCPHash** @@ -1169,7 +1179,7 @@ If SBCPHash isn't present, or is an accepted allow-listed value, then allow acce If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Place the device in a watch list to monitor the device more closely for potential risks. **CIPolicy** @@ -1180,7 +1190,7 @@ If CIPolicy isn't present, or is an accepted allow-listed value, then allow acce If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Place the device in a watch list to monitor the device more closely for potential risks. **BootRevListInfo** @@ -1191,7 +1201,7 @@ If reported BootRevListInfo version equals an accepted value, then allow access. If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Direct the device to an enterprise honeypot, to further monitor the device's activities. **OSRevListInfo** @@ -1202,7 +1212,7 @@ If reported OSRevListInfo version equals an accepted value, then allow access. If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: -- Disallow all access +- Disallow all access. - Direct the device to an enterprise honeypot, to further monitor the device's activities. **HealthStatusMismatchFlags** diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md deleted file mode 100644 index b50647fabd..0000000000 --- a/windows/client-management/mdm/messaging-csp.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: Messaging CSP -description: Use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device. -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: dansimp -ms.date: 06/26/2017 -ms.reviewer: -manager: dansimp ---- - -# Messaging CSP - -The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703. - -The following shows the Messaging configuration service provider in tree format. - -```console -./User/Vendor/MSFT -Messaging -----AuditingLevel -----Auditing ---------Messages -----------Count -----------RevisionId -----------Data -``` - -**./User/Vendor/MSFT/Messaging** - -Root node for the Messaging configuration service provider.
- -**AuditingLevel** -Turns on the "Text" auditing feature.
-The following list shows the supported values:
-Supported operations are Get and Replace.
- -**Auditing** -Node for auditing.
-Supported operation is Get.
- -**Messages** -Node for messages.
-Supported operation is Get.
- -**Count** -The number of messages to return in the Data setting. The default is 100.
-Supported operations are Get and Replace.
- -**RevisionId** -Retrieves messages whose revision ID is greater than RevisionId.
-Supported operations are Get and Replace.
- -**Data** -The JSON string of text messages on the device.
-Supported operations are Get and Replace.
- - -**SyncML example** - -```xml -The root node for the Reboot configuration service provider.
-The supported operation is Get.
+**./Vendor/MSFT/Reboot** + +The root node for the Reboot configuration service provider. + +The supported operation is Get. **RebootNow** -This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.
+ +This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. > [!NOTE] > If this node is set to execute during a sync session, the device will reboot at the end of the sync session. -The supported operations are Execute and Get.
+The supported operations are Execute and Get. **Schedule** -The supported operation is Get.
+ +The supported operation is Get. **Schedule/Single** -This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required. -Example to configure: 2018-10-25T18:00:00
+ +This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required. +Example to configure: 2018-10-25T18:00:00 Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00. -The supported operations are Get, Add, Replace, and Delete.
- -The supported data type is "String".
+- The supported operations are Get, Add, Replace, and Delete. +- The supported data type is "String". **Schedule/DailyRecurrent** -This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. -Example to configure: 2018-10-25T18:00:00
-The supported operations are Get, Add, Replace, and Delete.
+This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. +Example to configure: 2018-10-25T18:00:00 -The supported data type is "String".
+- The supported operations are Get, Add, Replace, and Delete. +- The supported data type is "String". ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index aa6d711c71..186190cbec 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # Reboot DDF file - This topic shows the OMA DM device description framework (DDF) for the **Reboot** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -147,8 +146,7 @@ The XML below is the current version for this CSP. ## Related topics - -[Reboot configuration service provider](reboot-csp.md) +[Reboot CSP](reboot-csp.md) diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index 51ce1f0fd5..83a95ac493 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -14,6 +14,15 @@ ms.date: 06/26/2017 # RemoteFind CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The RemoteFind configuration service provider retrieves the location information for a particular device. @@ -37,21 +46,24 @@ Optional. The node accepts the requested radius value in meters. Valid values fo The default value is 50. Replacing this value only replaces it for the current session. The value isn't retained. -Supported operations are Replace and Get. The Add command isn't supported. +- Supported operations are Replace and Get. +- The Add command isn't supported. **Timeout** Optional. Value is DWORD in seconds. The default value is 7, and the range is 0 to 1800 seconds. Replacing this value only replaces it for the current session. The value isn't retained. -Supported operations are Replace and Get. The Add command isn't supported. +- Supported operations are Replace and Get. +- The Add command isn't supported. **MaximumAge** Optional. The value represents the desired time window in minutes that the server will accept a successful location retrieval. The node enables the server to set the requested age value in 100 nanoseconds. Valid values for accuracy include any integer value between 0 and 1440 minutes. The default value is 60. Replacing this value only replaces it for the current session. The value isn't retained. -Supported operations are Replace and Get. The Add command isn't supported. +- Supported operations are Replace and Get. +- The Add command isn't supported. **Location** Required. Nodes under this path must be queried atomically in order to succeed. This condition is to prevent servers from querying incomplete sets of data. @@ -102,7 +114,7 @@ The default value is 0. Supported operation is Get. **Age** -Required. Provides the age in 100 nanoseconds for current location data. +Required. Provides the age in 100 nanoseconds for the current location data. The value returned is an integer. @@ -176,7 +188,6 @@ Supported operation is Get. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md index e6b61e9477..3886bb405d 100644 --- a/windows/client-management/mdm/remotefind-ddf-file.md +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # RemoteFind DDF file - This topic shows the OMA DM device description framework (DDF) for the **RemoteFind** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -298,7 +297,9 @@ The XML below is the current version for this CSP. ``` - +## Related topics + +[RemoteFind CSP](remotefind-csp.md) diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md deleted file mode 100644 index 548923b5fe..0000000000 --- a/windows/client-management/mdm/remotering-csp.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: RemoteRing CSP -description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device. -ms.assetid: 70015243-c07f-46cb-a0f9-4b4ad13a5609 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: dansimp -ms.date: 06/26/2017 ---- - -# RemoteRing CSP - - -You can use the RemoteRing configuration service provider to remotely trigger a device to produce an audible ringing sound, regardless of the volume that is set on the device. - -The following DDF format shows the RemoteRing configuration service provider in tree format. -``` -./User/Vendor/MSFT -RemoteRing -----Ring - - -./Device/Vendor/MSFT -Root - - -./User/Vendor/MSFT -./Device/Vendor/MSFT -RemoteRing -----Ring -``` -**Ring** -Required. The node accepts requests to ring the device. - -The supported operation is Exec. - -## Examples - - -The following sample shows how to initiate a remote ring on the device. - -```xml -The root node for the Surface Hub configuration service provider. +The root node for the Surface Hub configuration service provider. **DeviceAccount** -
Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. +Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. -
To use a device account from Azure Active Directory +To use a device account from Azure Active Directory 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. @@ -89,7 +91,7 @@ SurfaceHub > If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress. -
Here's a SyncML example.
+Here's a SyncML example.
```xml
To use a device account from Active Directory +To use a device account from Active Directory: 1. Set the DomainName. 2. Set the UserName. @@ -147,207 +149,268 @@ SurfaceHub 4. Execute the ValidateAndCommit node. **DeviceAccount/DomainName** -
Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. -
The data type is string. Supported operation is Get and Replace. +Domain of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/UserName** -
Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. -
The data type is string. Supported operation is Get and Replace. +Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/UserPrincipalName** -
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. -
The data type is string. Supported operation is Get and Replace. +User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/SipAddress** -
Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. -
The data type is string. Supported operation is Get and Replace. +Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/Password** -
Password for the device account. -
The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. +Password for the device account. + +- The data type is string. +- Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. **DeviceAccount/ValidateAndCommit** -
This method validates the data provided and then commits the changes. -
The data type is string. Supported operation is Execute. +This method validates the data provided and then commits the changes. + +- The data type is string. +- Supported operation is Execute. **DeviceAccount/Email** -
Email address of the device account. -
The data type is string. +Email address of the device account. The data type is string. -**DeviceAccount/PasswordRotationEnabled** -
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). +**DeviceAccount/ +PasswordRotationEnabled** -
Valid values: +Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). + +Valid values: - 0 - password rotation enabled - 1 - disabled -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **DeviceAccount/ExchangeServer** -
Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. -
The data type is string. Supported operation is Get and Replace. +Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. + +- The data type is string. +- Supported operation is Get and Replace. **DeviceAccount/ExchangeModernAuthEnabled** -
Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True. -
The data type is boolean. Supported operation is Get and Replace. +Added in KB4598291 for Windows 10, version 20H2. Specifies, whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True. + +- The data type is boolean. +- Supported operation is Get and Replace. **DeviceAccount/CalendarSyncEnabled** -
Specifies whether calendar sync and other Exchange server services is enabled. -
The data type is boolean. Supported operation is Get and Replace.
+Specifies, whether calendar sync and other Exchange server services is enabled.
+
+- The data type is boolean.
+- Supported operation is Get and Replace.
**DeviceAccount/ErrorContext**
If there's an error calling ValidateAndCommit, there's another context for that error in this node. Here are the possible error values:
-| ErrorContext value | Stage where error occurred | Description and suggestions |
+| **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
| --- | --- | --- |
| 1 | Unknown | |
-| 2 | Populating account | Unable to retrieve account details using the username and password you provided.
-For Azure AD accounts, ensure that UserPrincipalName and Password are valid.
-For AD accounts, ensure that DomainName, UserName, and Password are valid.
-Ensure that the specified account has an Exchange server mailbox. |
+| 2 | Populating account | Unable to retrieve account details using the username and password you provided.
For Azure AD accounts, ensure that UserPrincipalName and Password are valid.
For AD accounts, ensure that DomainName, UserName, and Password are valid.
Ensure that the specified account has an Exchange server mailbox. |
| 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
-| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure that the ExchangeServer field is valid. |
+| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
| 5 | Saving account information | Unable to save account details to the system. |
| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. |
-The data type is integer. Supported operation is Get.
+It performs the following:
+- The data type is integer.
+- Supported operation is Get.
**MaintenanceHoursSimple/Hours**
-
-
Node for maintenance schedule. +Node for maintenance schedule. **MaintenanceHoursSimple/Hours/StartTime** -
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. -
The data type is integer. Supported operation is Get and Replace. +Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. + +- The data type is integer. +- Supported operation is Get and Replace. **MaintenanceHoursSimple/Hours/Duration** -
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. -
The data type is integer. Supported operation is Get and Replace. +Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. + +- The data type is integer. +- Supported operation is Get and Replace. **InBoxApps** -
Node for the in-box app settings. + +Node for the in-box app settings. **InBoxApps/SkypeForBusiness** -
Added in Windows 10, version 1703. Node for the Skype for Business settings. + +Added in Windows 10, version 1703. Node for the Skype for Business settings. **InBoxApps/SkypeForBusiness/DomainName** -
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online. -
The data type is string. Supported operation is Get and Replace. +Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online. + +- The data type is string. +- Supported operation is Get and Replace. **InBoxApps/Welcome** -
Node for the welcome screen. +Node for the welcome screen. **InBoxApps/Welcome/AutoWakeScreen** -
Automatically turn on the screen using motion sensors. -
The data type is boolean. Supported operation is Get and Replace. +Automatically turn on the screen using motion sensors. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -
Download location for image to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub, otherwise it may not be able to load the image. -
The data type is string. Supported operation is Get and Replace. +Download location for image, to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub. Otherwise, it may not be able to load the image. + +- The data type is string. +- Supported operation is Get and Replace. **InBoxApps/Welcome/MeetingInfoOption** -
Meeting information displayed on the welcome screen. -
Valid values: +Meeting information displayed on the welcome screen. + +Valid values: - 0 - Organizer and time only - 1 - Organizer, time, and subject. Subject is hidden in private meetings. -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **InBoxApps/Whiteboard** -
Node for the Whiteboard app settings. + +Node for the Whiteboard app settings. **InBoxApps/Whiteboard/SharingDisabled** -
Invitations to collaborate from the Whiteboard app aren't allowed. -
The data type is boolean. Supported operation is Get and Replace. +Invitations to collaborate from the Whiteboard app aren't allowed. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/Whiteboard/SigninDisabled** -
Sign-ins from the Whiteboard app aren't allowed. -
The data type is boolean. Supported operation is Get and Replace. +Sign-in from the Whiteboard app aren't allowed. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/Whiteboard/TelemeteryDisabled** -
Telemetry collection from the Whiteboard app isn't allowed. -
The data type is boolean. Supported operation is Get and Replace. +Telemetry collection from the Whiteboard app isn't allowed. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/WirelessProjection** -
Node for the wireless projector app settings. + +Node for the wireless projector app settings. **InBoxApps/WirelessProjection/PINRequired** -
Users must enter a PIN to wirelessly project to the device. -
The data type is boolean. Supported operation is Get and Replace. +Users must enter a PIN to wireless project to the device. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/WirelessProjection/Enabled** -
Enables wireless projection to the device. -
The data type is boolean. Supported operation is Get and Replace. +Enables wireless projection to the device. + +- The data type is boolean. +- Supported operation is Get and Replace. **InBoxApps/WirelessProjection/Channel** -
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. -|Compatibility|Values| +Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. + +|**Compatibility**|**Values**| |--- |--- | |Works with all Miracast senders in all regions|1, 3, 4, 5, 6, 7, 8, 9, 10, 11| |Works with all 5ghz band Miracast senders in all regions|36, 40, 44, 48| |Works with all 5ghz band Miracast senders in all regions except Japan|149, 153, 157, 161, 165| +The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won't be looking for). -
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). - -
The data type is integer. Supported operation is Get and Replace. +- The data type is integer. +- Supported operation is Get and Replace. **InBoxApps/Connect** -
Added in Windows 10, version 1703. Node for the Connect app. + +Added in Windows 10, version 1703. Node for the Connect app. **InBoxApps/Connect/AutoLaunch** -
Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated. -
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. +Added in Windows 10, version 1703. Specifies, whether to automatically launch the Connect app whenever a projection is initiated. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties** -
Node for the device properties. + +Node for the device properties. **Properties/FriendlyName** -
Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device. -
The data type is string. Supported operation is Get and Replace. +Friendly name of the device. Specifies the name that users see when they want wireless project to the device. + +- The data type is string. +- Supported operation is Get and Replace. **Properties/DefaultVolume** -
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45. -
The data type is integer. Supported operation is Get and Replace. +Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45. + +- The data type is integer. +- Supported operation is Get and Replace. **Properties/DefaultAutomaticFraming** -
Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True. -
The data type is boolean. Supported operation is Get and Replace. +Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties/ScreenTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. -
The following table shows the permitted values. +Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. -|Value|Description| +The following table shows the permitted values. + +|**Value**|**Description**| |--- |--- | |0|Never time out| |1|1 minute| @@ -361,14 +424,17 @@ The data type is integer. Supported operation is Get. |120|2 hours| |240|4 hours| -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **Properties/SessionTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. -
The following table shows the permitted values. +Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. -|Value|Description| +The following table shows the permitted values. + +|**Value**|**Description**| |--- |--- | |0|Never time out| |1|1 minute (default)| @@ -382,14 +448,17 @@ The data type is integer. Supported operation is Get. |120|2 hours| |240|4 hours| -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **Properties/SleepTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. -
The following table shows the permitted values. +Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. -|Value|Description| +The following table shows the permitted values. + +|**Value**|**Description**| |--- |--- | |0|Never time out| |1|1 minute| @@ -403,61 +472,80 @@ The data type is integer. Supported operation is Get. |120|2 hours| |240|4 hours| -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **Properties/SleepMode** -
Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. -
Valid values: +Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. + +Valid values: - 0 - Connected Standby (default) - 1 - Hibernate -
The data type is integer. Supported operation is Get and Replace. +It performs the following: +- The data type is integer. +- Supported operation is Get and Replace. **Properties/AllowSessionResume** -
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. -
If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. +Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties/AllowAutoProxyAuth** -
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication. -
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. +Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties/ProxyServers** -
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://). -
The data type is string. Supported operation is Get and Replace. +Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This FQDN is a semi-colon separated list of server names, without any extra prefixes (for example, https://). + +- The data type is string. +- Supported operation is Get and Replace. **Properties/DisableSigninSuggestions** -
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. -
If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate. +Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate. + +- The data type is boolean. +- Supported operation is Get and Replace. **Properties/DoNotShowMyMeetingsAndFiles** -
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. -
If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown. +Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. -
The data type is boolean. Supported operation is Get and Replace. +If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown. + +- The data type is boolean. +- Supported operation is Get and Replace. **MOMAgent** -
Node for the Microsoft Operations Management Suite. + +Node for the Microsoft Operations Management Suite. **MOMAgent/WorkspaceID** -
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent. -
The data type is string. Supported operation is Get and Replace. +GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent. -**MOMAgent/WorkspaceKey** -
Primary key for authenticating with the workspace. +- The data type is string. +- Supported operation is Get and Replace. -
The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
+**MOMAgent/WorkspaceKey**
+Primary key for authenticating with the workspace.
+
+- The data type is string.
+- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
\ No newline at end of file
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 6f4815ab07..61939e6c29 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -13,6 +13,16 @@ manager: dansimp
# TenantLockdown CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809.
@@ -28,16 +38,21 @@ TenantLockdown
----RequireNetworkInOOBE
```
**./Vendor/MSFT/TenantLockdown**
-The root node.
+The root node for the TenantLockdown configuration service provider.
**RequireNetworkInOOBE**
-Specifies whether to require a network connection during the out-of-box experience (OOBE) at first sign in.
+Specifies whether a network connection is required during the out-of-box experience (OOBE) at first logon.
When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There's no "skip for now" option.
-Value type is bool. Supported operations are Get and Replace.
+- Value type is bool.
+- Supported operations are Get and Replace.
-- True - Require network in OOBE
-- False - No network connection requirement in OOBE
+ - True - Require network in OOBE.
+ - False - No network connection requirement in OOBE.
-Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they're required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There's no option to skip the network connection and create a local account.
+Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index af4f245a6e..e85778cb28 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -75,3 +75,7 @@ The XML below is for Windows 10, version 1809.
```
+
+## Related topics
+
+[TenantLockdown CSP](tenantlockdown-csp.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 0027a560db..bf47fbcbfc 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -255,8 +255,6 @@ items:
items:
- name: EnterpriseAPN DDF
href: enterpriseapn-ddf.md
- - name: EnterpriseAppManagement CSP
- href: enterpriseappmanagement-csp.md
- name: EnterpriseAppVManagement CSP
href: enterpriseappvmanagement-csp.md
items:
@@ -296,11 +294,6 @@ items:
items:
- name: HealthAttestation DDF
href: healthattestation-ddf.md
- - name: Messaging CSP
- href: messaging-csp.md
- items:
- - name: Messaging DDF file
- href: messaging-ddf.md
- name: MultiSIM CSP
href: multisim-csp.md
items:
@@ -853,11 +846,6 @@ items:
items:
- name: RemoteFind DDF file
href: remotefind-ddf-file.md
- - name: RemoteRing CSP
- href: remotering-csp.md
- items:
- - name: RemoteRing DDF file
- href: remotering-ddf-file.md
- name: RemoteWipe CSP
href: remotewipe-csp.md
items:
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index 62808bc9bb..f3ba7e9ad2 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -13,6 +13,16 @@ manager: dansimp
# WiredNetwork CSP
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -39,17 +49,19 @@ WiredNetwork
----EnableBlockPeriod
```
**./Device/Vendor/MSFT/WiredNetwork**
-Root node.
+The root node for the wirednetwork configuration service provider.
**LanXML**
Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx.
-Supported operations are Add, Get, Replace, and Delete. Value type is string.
+- Supported operations are Add, Get, Replace, and Delete.
+- Value type is string.
**EnableBlockPeriod**
Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
-Supported operations are Add, Get, Replace, and Delete. Value type is integer.
+- Supported operations are Add, Get, Replace, and Delete.
+- Value type is integer.
The following example shows how to add a wired network profile:
```xml
@@ -70,3 +82,7 @@ The following example shows how to add a wired network profile:
```
+
+## Related topics
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index bc61e8f7d0..f527c65745 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -167,3 +167,7 @@ The XML below is the current version for this CSP.
```
+
+## Related topics
+
+[WiredNetwork CSP](wirednetwork-csp.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 49ed9f19f0..e1fac8d907 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -25,7 +25,7 @@ ms.reviewer:
- Hybrid deployment
- Certificate trust
-Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
+Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
@@ -35,7 +35,7 @@ Your environment is federated and you are ready to configure device registration
Use this three-phased approach for configuring device registration.
-1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
+1. [Configure devices to register in Azure](#configure-hybrid-azure-ad-join)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
@@ -51,11 +51,21 @@ Use this three-phased approach for configuring device registration.
>[!IMPORTANT]
> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
-## Configure Azure for Device Registration
+## Configure Hybrid Azure AD join
-Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
+To support hybrid Windows Hello for Business, configure hybrid Azure AD join.
-To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal)
+Follow the guidance on [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
+
+If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
+
+- Configure Azure AD Connect to sync the user's on-premises UPN to the `onPremisesUserPrincipalName attribute` in Azure AD.
+- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD.
+
+You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join).
+
+> [!NOTE]
+> Windows Hello for Business Hybrid key trust is not supported, if your users' on-premises domain cannot be added as a verified domain in Azure AD.
## Configure Active Directory to support Azure device synchronization
@@ -90,14 +100,14 @@ Sign-in to the domain controller hosting the schema master operational role usin
2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
3. To update the schema, type ```adprep /forestprep```.
4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema.
-5. Close the Command Prompt and sign-out.
+5. Close the Command Prompt and sign out.
> [!NOTE]
> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.
### Setup Active Directory Federation Services
-If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
+If you're new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service.
Once you have your AD FS design ready, review [Deploying a Federation Server farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment.
@@ -115,11 +125,11 @@ Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deploymen
Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
-When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
+When you're ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
### Create AD objects for AD FS Device Authentication
-If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
+If your AD FS farm isn't already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
> [!NOTE]
@@ -127,10 +137,10 @@ If your AD FS farm is not already configured for Device Authentication (you can
1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
-2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
+2. On your AD FS primary server, ensure you're logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
`Import-module activedirectory`
`PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "
-4. Once this is done, you will see a successful completion message.
+4. Once this is done, you'll see a successful completion message.
@@ -180,20 +190,20 @@ To ensure AD DS objects and containers are in the correct state for write back o
Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format
-The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name
+The above command creates the following objects for device write back to AD DS, if they don't exist already, and allows access to the specified AD connector account name
- RegisteredDevices container in the AD domain partition
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
### Enable Device Write Back in Azure AD Connect
-If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets
+If you haven't done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets
## Configure AD FS to use Azure registered devices
### Configure issuance of claims
-In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a 3rd party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS).
+In a federated Azure AD configuration, devices rely on Active Directory Federation Services (AD FS) or a third party on-premises federation service to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS).
Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service.
@@ -211,17 +221,17 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints:
> [!NOTE]
>If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX).
-The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
+The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information that is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises.
- `http://schemas.microsoft.com/ws/2012/01/accounttype`
- `http://schemas.microsoft.com/identity/claims/onpremobjectguid`
- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
-If you have more than one verified domain name, you need to provide the following claim for computers:
+If you've more than one verified domain name, you need to provide the following claim for computers:
- `http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`
-If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding claim for computers:
+If you're already issuing an ImmutableID claim (for example, alternate sign in ID) you need to provide one corresponding claim for computers:
- `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
@@ -300,7 +310,7 @@ The definition helps you to verify whether the values are present or if you need
#### Issue issuerID for computer when multiple verified domain names in Azure AD
-**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
+**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or third party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
```powershell
@@ -352,10 +362,10 @@ In the claim above,
- `$