deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

LAPS CSP

Browse Source
This commit is contained in:
Vinay Pamnani 2023-02-17 18:20:04 -05:00
parent 5c0cc3476f
commit b240087b96
3 changed files with 1337 additions and 1011 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1220
windows/client-management/mdm/laps-csp.md
View File

File diff suppressed because it is too large Load Diff

404
windows/client-management/mdm/laps-ddf-file.md
View File

@ -1,40 +1,29 @@
---
title: LAPS DDF file
description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider.
ms.author: jsimmons
ms.topic: article
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 02/17/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: jsimmons
ms.localizationpriority: medium
ms.date: 07/04/2022
ms.reviewer: jsimmons
manager: jsimmons
ms.topic: reference
---
# Local Administrator Password Solution DDF file
<!-- Auto-Generated CSP Document -->
This article shows the OMA DM device description framework (DDF) for the Local Administrator Password Solution (LAPS) configuration service provider.
# LAPS DDF file
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
The XML below is the current version for this CSP.
The following XML file contains the device description framework (DDF) for the LAPS configuration service provider.
```xml
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<identity
xmlns="urn:Microsoft.CompPlat/ManifestSchema.v1.00"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
owner="Microsoft"
namespace="Windows-DeviceManagement-CspDefinition"
name="LAPS">
<cspDefinition>
<MgmtTree>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<BinaryPath>"%windir%\system32\LapsCSP.dll</BinaryPath>
<Diagnostics></Diagnostics>
<ComClsid>{298a6f17-03e7-4bd4-971c-544f359527b7}</ComClsid>
<MSFT:Diagnostics>
</MSFT:Diagnostics>
<Node>
<NodeName>LAPS</NodeName>
<Path>./Device/Vendor/MSFT</Path>
@ -53,15 +42,13 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
<DDFName />
</DFType>
<Applicability>
<OsBuildVersion>99.9.99999</OsBuildVersion>
<CspVersion>1.0</CspVersion>
</Applicability>
<ExposedTo>
<Mdm />
</ExposedTo>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>Policies</NodeName>
@ -81,9 +68,9 @@ The XML below is the current version for this CSP.
</Scope>
<DFTitle>Policies</DFTitle>
<DFType>
<DDFName></DDFName>
<DDFName />
</DFType>
<AtomicRequired />
<MSFT:AtomicRequired />
</DFProperties>
<Node>
<NodeName>BackupDirectory</NodeName>
@ -114,22 +101,22 @@ If not specified, this setting will default to 0.</Description>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>0</Value>
<ValueDescription>Disabled (password will not be backed up)</ValueDescription>
</Enum>
<Enum>
<Value>1</Value>
<ValueDescription>Backup the password to Azure AD only</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Backup the password to Active Directory only</ValueDescription>
</Enum>
</AllowedValues>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disabled (password will not be backed up)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Backup the password to Azure AD only</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Backup the password to Active Directory only</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
@ -159,27 +146,41 @@ This setting has a maximum allowed value of 365 days.</Description>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AllowedValues ValueType="Range">
<Value>[1-365]</Value>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<DependencyChangedAllowedValues ValueType="Range">
<Value>[7-365]</Value>
</DependencyChangedAllowedValues>
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>BackupDirectory configured to Azure AD</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[1-365]</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="BackupDirectoryAADMode">
<MSFT:DependencyChangedAllowedValues ValueType="Range">
<MSFT:Value>[7-365]</MSFT:Value>
</MSFT:DependencyChangedAllowedValues>
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>BackupDirectory configured to Azure AD</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
<MSFT:DependencyGroup FriendlyId="BackupDirectoryADMode">
<MSFT:DependencyChangedAllowedValues ValueType="Range">
<MSFT:Value>[1-365]</MSFT:Value>
</MSFT:DependencyChangedAllowedValues>
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>BackupDirectory configured to Active Directory</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
@ -212,26 +213,26 @@ If not specified, this setting will default to 4.</Description>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>Large letters</ValueDescription>
</Enum>
<Enum>
<Value>2</Value>
<ValueDescription>Large letters + small letters</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Large letters + small letters + numbers</ValueDescription>
</Enum>
<Enum>
<Value>4</Value>
<ValueDescription>Large letters + small letters + numbers + special characters</ValueDescription>
</Enum>
</AllowedValues>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Large letters</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Large letters + small letters</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>3</MSFT:Value>
<MSFT:ValueDescription>Large letters + small letters + numbers</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Large letters + small letters + numbers + special characters</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
@ -261,11 +262,11 @@ This setting has a maximum allowed value of 64 characters.</Description>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AllowedValues ValueType="Range">
<Value>[8-64]</Value>
</AllowedValues>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[8-64]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
@ -294,7 +295,7 @@ Note: if a custom managed local administrator account name is specified in this
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
</DFProperties>
</Node>
@ -323,31 +324,31 @@ If not specified, this setting defaults to True.</Description>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>false</Value>
<ValueDescription>Allow configured password expiriration timestamp to exceed maximum password age</ValueDescription>
</Enum>
<Enum>
<Value>true</Value>
<ValueDescription>Do not allow configured password expiriration timestamp to exceed maximum password age</ValueDescription>
</Enum>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Allow configured password expiriration timestamp to exceed maximum password age</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Do not allow configured password expiriration timestamp to exceed maximum password age</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="BackupDirectory">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>BackupDirectory configured to Active Directory</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
@ -359,7 +360,7 @@ If not specified, this setting defaults to True.</Description>
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<DefaultValue>True</DefaultValue>
<Description>Use this setting to configure whether the password is encrypted before being stored in Active Directory.
This setting is ignored if the password is currently being stored in Azure.
@ -370,7 +371,7 @@ If this setting is enabled, and the Active Directory domain meets the DFL prereq
If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
If not specified, this setting defaults to False.</Description>
If not specified, this setting defaults to True.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -381,31 +382,31 @@ If not specified, this setting defaults to False.</Description>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>false</Value>
<ValueDescription>Store the password in clear-text form in Active Directory</ValueDescription>
</Enum>
<Enum>
<Value>true</Value>
<ValueDescription>Store the password in encrypted form in Active Directory</ValueDescription>
</Enum>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>Store the password in clear-text form in Active Directory</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>Store the password in encrypted form in Active Directory</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="BackupDirectory">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>BackupDirectory configured to Active Directory</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
@ -436,21 +437,21 @@ If the specified user or group account is invalid the device will fallback to us
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="BackupDirectory">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>BackupDirectory configured to Active Directory</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
@ -480,24 +481,24 @@ This setting has a maximum allowed value of 12 passwords.</Description>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AllowedValues ValueType="Range">
<Value>[0-12]</Value>
</AllowedValues>
<DependencyBehavior>
<DependencyGroup FriendlyId="BackupDirectory">
<Dependency Type="DependsOn">
<DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
<DependencyAllowedValue ValueType="ENUM">
<Enum>
<Value>2</Value>
<ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
</Enum>
</DependencyAllowedValue>
</Dependency>
</DependencyGroup>
</DependencyBehavior>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-12]</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="BackupDirectory">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>BackupDirectory configured to Active Directory</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
@ -527,11 +528,11 @@ This setting has a maximum allowed value of 12 passwords.</Description>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AllowedValues ValueType="Range">
<Value>[0-24]</Value>
</AllowedValues>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-24]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
@ -558,22 +559,22 @@ If not specified, this setting will default to 3 (Reset the password and logoff
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AllowedValues ValueType="ENUM">
<Enum>
<Value>1</Value>
<ValueDescription>Reset password: upon expiry of the grace period, the managed account password will be reset.</ValueDescription>
</Enum>
<Enum>
<Value>3</Value>
<ValueDescription>Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.</ValueDescription>
</Enum>
<Enum>
<Value>5</Value>
<ValueDescription>Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.</ValueDescription>
</Enum>
</AllowedValues>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Reset password: upon expiry of the grace period, the managed account password will be reset.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>3</MSFT:Value>
<MSFT:ValueDescription>Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>5</MSFT:Value>
<MSFT:ValueDescription>Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
@ -594,7 +595,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
</Scope>
<DFTitle>Actions</DFTitle>
<DFType>
<DDFName></DDFName>
<DDFName />
</DFType>
</DFProperties>
<Node>
@ -614,9 +615,8 @@ If not specified, this setting will default to 3 (Reset the password and logoff
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
<AsynchronousTracking ResourceSuccessURI="ResetPasswordStatus" ResourceSuccessValues="0" ResourceInProgressValues="10" ResourceFailureValues="20"/>
</DFProperties>
</Node>
<Node>
@ -638,17 +638,15 @@ If not specified, this setting will default to 3 (Reset the password and logoff
</Scope>
<DFTitle>ResetPasswordStatus</DFTitle>
<DFType>
<MIME>text/plain</MIME>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
</cspDefinition>
</identity>
</MgmtTree>
```
## Related articles
[LAPS configuration service provider](laps-csp.md)
[LAPS configuration service provider reference](laps-csp.md)

4
windows/client-management/mdm/toc.yml
View File

@ -767,10 +767,10 @@ items:
items:
- name: LanguagePackManagement DDF file
href: language-pack-management-ddf-file.md
- name: Local Administrator Password Solution
- name: LAPS
href: laps-csp.md
items:
- name: Local Administrator Password Solution DDF
- name: LAPS DDF file
href: laps-ddf-file.md
- name: MultiSIM
href: multisim-csp.md