diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index e0b8f44952..ea3c312239 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 10/30/2017 --- # DMClient CSP @@ -252,6 +252,11 @@ Optional. Added in Windows 10, version 1703. Specify the Discovery server URL o Supported operations are Add, Delete, Get, and Replace. Value type is string. +**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll** +Optional. Number of days after last sucessful sync to unenroll. + +Supported operations are Add, Delete, Get, and Replace. Value type is integer. + **Provider/*ProviderID*/Poll** Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. @@ -639,6 +644,90 @@ Optional. Added in Windows 10, version 1703. Specifies the display text for the Supported operations are Add, Delete, Get, and Replace. Value type is string. +**Provider/*ProviderID*/FirstSyncStatus** +Optional node. Added in Windows 10, version 1709. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the the management service provider expects to provision, delimited by the character L"\xF000". + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing 4 apps, and ProductID2 containing 2 apps. + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example, + +``` syntax +./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" +./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 +``` + +This represents App Package PackageFullName containing 4 apps, and PackageFullName2 containing 2 apps. + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure** +Required. Added in Windows 10, version 1709. This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + +Supported operations are Get and Replace. Value type is integer. + +**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning** +Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. + +Supported operations are Get and Replace. Value type is boolean. + +**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). + +Supported operations are Get and Replace. Value type is boolean. + +**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned** +Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. + +Supported operations are Get and Replace. Value type is integer. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity** +Required node. Added in Windows 10, version 1709. + +Supported operation is Get. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode** +Required. Added in Windows 10, version 1709. This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + +Supported operations are Add, Get, Replace, and Delete. Value type is integer. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline** +Required. Added in Windows 10, version 1709. This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. + +Supported operations are Add, Get, Replace, and Delete. Value type is boolean. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0** +Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use. + +Supported operations are Add, Get, Replace, and Delete. Value type is string. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1** +Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use. + +Supported operations are Add, Get, Replace, and Delete. Value type is string. + **Provider/*ProviderID*/Unenroll** Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent. diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index f328b3861d..9e03082567 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 10/30/2017 --- # DMClient DDF file @@ -20,1071 +20,1450 @@ You can download the DDF files from the links below: - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1907. ``` syntax -]> - - 1.2 - + + 1.2 + DMClient ./Vendor/MSFT - - - - - - - - - - - - - - com.microsoft/1.3/MDM/DMClient - + + + + + + + + + + + + + + com.microsoft/1.4/MDM/DMClient + - Provider + Provider + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + text/plain + - - - - - - - - - - - - - - - - - - text/plain - - - - EntDeviceName - - - - - - - - - - - - - - - - - - text/plain - - - - - ExchangeID - - - - - - - - - - - - - - - - - - text/plain - - - - - EntDMID - - - - - - - - - - - - - - - - - - text/plain - - - - - SignedEntDMID - - - - - - - - - - - - - - - - - - text/plain - - - - - CertRenewTimeStamp - - - - - - - - - - - - - - - - - - text/plain - - - - - - PublisherDeviceID - - - - - - - - - - - - - - - - - - text/plain - - - - - - ManagementServiceAddress - - - - - - - - - - - - - - - - text/plain - - - - - UPN - - - - - - - - - - - - - - - - - text/plain - - - - - HelpPhoneNumber - - - - - - - - - - - - - - - - - - text/plain - - - - - HelpWebsite - - - - - - - - - - - - - - - - - - text/plain - - - - - HelpEmailAddress - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireMessageSigning - - - - - - - - - - - - - - - - - - text/plain - - - - - SyncApplicationVersion - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxSyncApplicationVersion - - - - - - - - - - - - - - - text/plain - - - - - Unenroll - - - - - - - - - - - - - - - - text/plain - - - - - AADResourceID - - - - - - - - - - - - - - - - - text/plain - - - - - AADDeviceID - - - - - Device ID used for AAD device registration - - - - - - - - - - - text/plain - - - - - EnrollmentType - - - - - Type of MDM enrollment - - - - - - - - - - - text/plain - - - - - EnableOmaDmKeepAliveMessage - - - - - - - - - - - - - - - - text/plain - - - - - HWDevID - - - - - - - - - - - - - - - text/plain - - - - - ManagementServerAddressList - - - - - - - - - - - - - - - - text/plain - - - - - CommercialID - - - - - - - - - - - - - - - - - - text/plain - - - - - ManagementServerToUpgradeTo - - - - - - - - Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device - - - - - - - - - - - text/plain - - - - - Push - - - - - - - - - - - - - - - - - - - - - PFN - - - - - - - - - - - - - - - - - - text/plain - - - - - ChannelURI - - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - - Poll - - - - - - - - - - - - - - - - - - - - - IntervalForFirstSetOfRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfFirstRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - IntervalForSecondSetOfRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfSecondRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - IntervalForRemainingScheduledRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfRemainingScheduledRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - PollOnLogin - - - - - - - - - - - - - - - - - - text/plain - - - - - AllUsersPollOnFirstLogin - - - - - - - - - - - - - - - - - - text/plain - - - - - - CustomEnrollmentCompletePage - - - - - - - - - - - - - - - - - - - - - Title - - - - - - - - - - - - - - - - - - text/plain - - - - - BodyText - - - - - - - - - - - - - - - - - - text/plain - - - - - HyperlinkHref - - - - - - - - - - - - - - - - - - text/plain - - - - - HyperlinkText - - - - - - - - - - - - - - - - - - text/plain - - - - - - - - Unenroll - + EntDeviceName + - - + + + + - + - + - + - text/plain + text/plain - - - - UpdateManagementServiceAddress - + + + + ExchangeID + + + + + + + + + + + + + + + + + text/plain + + + + + EntDMID + + + + + + + + + + + + + + + + + + text/plain + + + + + SignedEntDMID + + + + + + + + + + + + + + + + + + text/plain + + + + + CertRenewTimeStamp + + + + + + + + + + + + + + + + + + text/plain + + + + + + PublisherDeviceID + + + + + + + + + + + + + + + + + + text/plain + + + + + + ManagementServiceAddress + + + + + + + + + + + + + + + + text/plain + + + + + UPN + + + + + + + + + + + + + + + + + text/plain + + + + + HelpPhoneNumber + + + + + + + + + + + + + + + + + + text/plain + + + + + HelpWebsite + + + + + + + + + + + + + + + + + + text/plain + + + + + HelpEmailAddress + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireMessageSigning + + + + + + + + + + + + + + + + + + text/plain + + + + + SyncApplicationVersion + + + + + + + + + + + + + + + + + + text/plain + + + + + MaxSyncApplicationVersion + + + + + + + + + + + + + + + text/plain + + + + + Unenroll + + + + + + + + + + + + + + + + text/plain + + + + + AADResourceID + + + + + + + + + + + + + + + + + text/plain + + + + + AADDeviceID + + + + + Device ID used for AAD device registration + + + + + + + + + + + text/plain + + + + + EnrollmentType + + + + + Type of MDM enrollment + + + + + + + + + + + text/plain + + + + + EnableOmaDmKeepAliveMessage + + + + + + + + + + + + + + + + text/plain + + + + + HWDevID + + + + + + + + + + + + + + + text/plain + + + + + ManagementServerAddressList + + + + + + + + + + + + + + + + text/plain + + + + + CommercialID + + + + + + + + + + + + + + + + + + text/plain + + + + + ManagementServerToUpgradeTo + + + + + + + + Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device + + + + + + + + + + + text/plain + + + + + NumberOfDaysAfterLostContactToUnenroll + + + + + + + + Number of days after last sucessful sync to unenroll + + + + + + + + + + + text/plain + + + + + Push + + + + + + + + + + + + + + + + + + + + + PFN + + + + + + + + + + + + + + + + text/plain + + + + + ChannelURI + + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + + Poll + + + + + - + - + - + - text/plain + - + + + IntervalForFirstSetOfRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + NumberOfFirstRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + IntervalForSecondSetOfRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + NumberOfSecondRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + IntervalForRemainingScheduledRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + NumberOfRemainingScheduledRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + PollOnLogin + + + + + + + + + + + + + + + + + + text/plain + + + + + AllUsersPollOnFirstLogin + + + + + + + + + + + + + + + + + + text/plain + + + + + + CustomEnrollmentCompletePage + + + + + + + + + + + + + + + + + + + + + Title + + + + + + + + + + + + + + + + + + text/plain + + + + + BodyText + + + + + + + + + + + + + + + + + + text/plain + + + + + HyperlinkHref + + + + + + + + + + + + + + + + + + text/plain + + + + + HyperlinkText + + + + + + + + + + + + + + + + + + text/plain + + + + + + FirstSyncStatus + + + + + + + + + + + + + + + + + + + + + ExpectedPolicies + + + + + + + + This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + text/plain + + + + + ExpectedNetworkProfiles + + + + + + + + This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". + + + + + + + + + + + text/plain + + + + + ExpectedMSIAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. + + + + + + + + + + + text/plain + + + + + ExpectedModernAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. + + + + + + + + + + + text/plain + + + + + ExpectedPFXCerts + + + + + + + + This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + text/plain + + + + + ExpectedSCEPCerts + + + + + + + + This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + text/plain + + + + + TimeOutUntilSyncFailure + + + + + + This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + + + + + + + + + + + text/plain + + + + + ServerHasFinishedProvisioning + + + + + + This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. + + + + + + + + + + + text/plain + + + + + IsSyncDone + + + + + + This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). + + + + + + + + + + + text/plain + + + + + WasDeviceSuccessfullyProvisioned + + + + + + Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. + + + + + + + + + + + text/plain + + + + + + EnhancedAppLayerSecurity + + + + + + + + + + + + + + + + + + + SecurityMode + + + + + + + + This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + + + + + + + + + + + text/plain + + + + + UseCertIfRevocationCheckOffline + + + + + + + + This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. + + + + + + + + + + + text/plain + + + + + Cert0 + + + + + + + + The node contains the primary certificate - the public key to use. + + + + + + + + + + + text/plain + + + + + Cert1 + + + + + + + + The node contains the secondary certificate - the public key to use. + + + + + + + + + + + text/plain + + + + + - HWDevID - - - - - - - - - - - - - - - text/plain - - + Unenroll + + + + + + + + + + + + + + + + text/plain + + - + + UpdateManagementServiceAddress + + + + + + + + + + + + + + + + text/plain + + + + + HWDevID + + + + + + + + + + + + + + + text/plain + + + + -``` - -## Related topics - - -[DMClient configuration service provider](dmclient-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png index ae35570be6..88398bc1c5 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png and b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 51ffdba22e..ac247a2a86 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -989,6 +989,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s +[DMClient CSP](dmclient-csp.md) +

Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

+ + [Bitlocker CSP](bitlocker-csp.md)

Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.

@@ -1390,6 +1394,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
    • + +[DMClient CSP](dmclient-csp.md) +

    Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

    +