deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #1329 from MicrosoftDocs/MDBranch3326213

Browse Source 
Added new nodes in BitLocker CSP doc
This commit is contained in:
Rebecca Agiewich 2019-10-11 10:13:49 -07:00 committed by GitHub
commit c36e5a07d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 410 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

198
windows/client-management/mdm/bitlocker-csp.md
View File

@ -6,12 +6,16 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
ms.date: 08/05/2019
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# BitLocker CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
> [!NOTE]
@ -25,7 +29,7 @@ For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation
The following diagram shows the BitLocker configuration service provider in tree format.
![bitlocker csp](images/provisioning-csp-bitlocker.png)
![BitLocker csp](images/provisioning-csp-bitlocker.png)
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
@ -57,7 +61,7 @@ Allows the administrator to require storage card encryption on the device. This
Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
- 0 (default) Storage cards do not need to be encrypted.
- 1 Require Storage cards to be encrypted.
- 1 Require storage cards to be encrypted.
Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
@ -125,10 +129,10 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
The following list shows the supported values:
- 0 (default) Disable. If the policy setting is not set or is set to 0, the device's enforcement status will not be checked. The policy will not enforce encryption and it will not decrypt encrypted volumes.
- 1 Enable. The device's enforcement status will be checked. Setting this policy to 1 will trigger encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
- 0 (default) — Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
- 1 Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).
If you want to disable this policy use the following SyncML:
If you want to disable this policy, use the following SyncML:
```xml
<SyncML>
@ -151,7 +155,7 @@ If you want to disable this policy use the following SyncML:
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)&quot;.
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)&quot;.
<table>
<tr>
<th>Home</th>
@ -520,7 +524,8 @@ Set &quot;OSActiveDirectoryBackup_Name&quot; (Save BitLocker recovery informatio
Set the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
&gt; [!Note]<br/>&gt; If the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
> [!Note]
> If the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
@ -533,25 +538,17 @@ Sample value for this node to enable this policy is:
```
The possible values for &#39;xx&#39; are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
<li></li>
</ul>
- true = Explicitly allow
- false = Policy not set
The possible values for &#39;yy&#39; are:
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
- 2 = Allowed
- 1 = Required
- 0 = Disallowed
The possible values for &#39;zz&#39; are:
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
<li></li>
</ul>
- 2 = Store recovery passwords only
- 1 = Store recovery passwords and key packages
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
@ -896,6 +893,161 @@ If you want to disable this policy use the following SyncML:
</Item>
</Replace>
```
<a href="" id="configurerecoverypasswordrotation"></a>**ConfigureRecoveryPasswordRotation**
This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is int. Supported operations are Add, Delete, Get, and Replace.
Supported values are:
- 0 Refresh off (default)
- 1 Refresh on for Azure AD-joined devices
- 2 Refresh on for both Azure AD-joined and hybrid-joined devices
<a href="" id="rotaterecoverypasswords"></a>**RotateRecoveryPasswords**
This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure.
Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client will not retry, but if needed, the server can re-issue the execute request.
Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh.
Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices cannot refresh recovery passwords if they are only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account.
Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
<a href="" id="status"></a>**Status**
Interior node. Supported operation is Get.
<a href="" id="status-deviceencryptionstatus"></a>**Status/DeviceEncryptionStatus**
This node reports compliance state of device encryption on the system.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Supported values:
- 0 - Indicates that the device is compliant.
- Any other value represents a non-compliant device.
Value type is int. Supported operation is Get.
<a href="" id="status-rotaterecoverypasswordsstatus"></a>**Status/RotateRecoveryPasswordsStatus**
This node reports the status of RotateRecoveryPasswords request.
Status code can be one of the following:
- 2 Not started
- 1 - Pending
- 0 - Pass
- Any other code - Failure HRESULT
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is int. Supported operation is Get.
<a href="" id="status-rotaterecoverypasswordsrequestid"></a>**Status/RotateRecoveryPasswordsRequestID**
This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is string. Supported operation is Get.
### SyncML example
The following example is provided to show proper format and should not be taken as a recommendation.

207
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -6,7 +6,8 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
ms.date: 06/29/2018
ms.localizationpriority: medium
ms.date: 09/30/2019
ms.reviewer:
manager: dansimp
---
@ -20,7 +21,7 @@ This topic shows the OMA DM device description framework (DDF) for the **BitLock
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version Windows 10, version 1809.
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -46,7 +47,7 @@ The XML below is the current version Windows 10, version 1809.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/3.0/MDM/BitLocker</MIME>
<MIME>com.microsoft/5.0/MDM/BitLocker</MIME>
<DDFName></DDFName>
</DFType>
</DFProperties>
@ -736,6 +737,206 @@ The XML below is the current version Windows 10, version 1809.
</MSFT:SupportedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ConfigureRecoveryPasswordRotation</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when
Active Directory back up for recovery password is configured to required.
For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>112</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="2">
<MSFT:SupportedValue value="0" description="Numeric Recovery Passwords Key rotation OFF"/>
<MSFT:SupportedValue value="1" description="Default Value. Numeric Recovery Passwords Key Rotation ON for AAD joined devices."/>
<MSFT:SupportedValue value="2" description="Numeric Recovery Passwords Key Rotation ON for both AAD and Hybrid devices"/>
</MSFT:SupportedValues>
</DFProperties>
</Node>
<Node>
<NodeName>RotateRecoveryPasswords</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."
* For OS drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives."
*For fixed drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives."
Client returns status DM_S_ACCEPTED_FOR_PROCESSING to indicate the rotation has started. Server can query status with the following status nodes:
* status\RotateRecoveryPasswordsStatus
* status\RotateRecoveryPasswordsRequestID
Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\
<Exec>
<CmdID>113</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;RequestID/&gt;</Data>
</Item>
</Exec>
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DeviceEncryptionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports compliance state of device encryption on the system.
Value '0' means the device is compliant. Any other value represents a non-compliant device.
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RotateRecoveryPasswordsStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description> This Node reports the status of RotateRecoveryPasswords request.
Status code can be one of the following:
NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RotateRecoveryPasswordsRequestID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description> This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus
To ensure the status is correctly matched to the request ID.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

BIN
windows/client-management/mdm/images/provisioning-csp-bitlocker.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 62 KiB

27
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -24,6 +24,7 @@ This topic provides information about what's new and breaking changes in Windows
For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
- **Whats new in MDM for Windows 10 versions**
- [Whats new in MDM for Windows 10, version 1909](#whats-new-in-mdm-for-windows-10-version-1909)
- [Whats new in MDM for Windows 10, version 1903](#whats-new-in-mdm-for-windows-10-version-1903)
- [Whats new in MDM for Windows 10, version 1809](#whats-new-in-mdm-for-windows-10-version-1809)
- [Whats new in MDM for Windows 10, version 1803](#whats-new-in-mdm-for-windows-10-version-1803)
@ -83,6 +84,27 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [September 2017](#september-2017)
- [August 2017](#august-2017)
## Whats new in MDM for Windows 10, version 1909
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align:top"><a href="bitlocker-csp.md" data-raw-source="[BitLocker CSP](bitlocker-csp.md)">BitLocker CSP</a></td>
<td style="vertical-align:top"><br>Added the following new nodes in Windows 10, version 1909:</p>
ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.</li>
</td></tr>
</tbody>
</table>
## Whats new in MDM for Windows 10, version 1903
<table class="mx-tdBreakAll">
<colgroup>
@ -1907,6 +1929,11 @@ What data is handled by dmwappushsvc? | It is a component handling the internal
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. |
## Change history in MDM documentation
### October 2019
|New or updated topic | Description|
|--- | ---|
|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:<br>ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID|
### October 2019