deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5375 from MicrosoftDocs/master

Browse Source 
Publish 07/08/21, 3:30 PM
This commit is contained in:
Gary Moore 2021-07-08 15:48:46 -07:00 committed by GitHub
commit c5b607693b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -266,12 +266,10 @@ The following is an enrollment policy request example with a received security t
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To> </a:To>
<wsse:Security s:mustUnderstand="1"> <wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken ValueType= <wsse:BinarySecurityToken
"http: //schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken" ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
EncodingType= EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> </wsse:BinarySecurityToken>
</wsse:Security> </wsse:Security>
@ -410,12 +408,9 @@ The following example shows the enrollment web service request for federated aut
https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To> </a:To>
<wsse:Security s:mustUnderstand="1"> <wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken wsse:ValueType= <wsse:BinarySecurityToken
"http:"//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken wsse:ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
wsse:EncodingType= wsse:EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
>
B64EncodedSampleBinarySecurityToken B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> </wsse:BinarySecurityToken>
</wsse:Security> </wsse:Security>
@ -518,21 +513,18 @@ The following example shows the enrollment web service response.
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<RequestSecurityTokenResponse> <RequestSecurityTokenResponse>
<TokenType> <TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType> </TokenType>
<DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/> <RequestedSecurityToken> <DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/>
<RequestedSecurityToken>
<BinarySecurityToken <BinarySecurityToken
ValueType= ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
"http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
EncodingType= xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken B64EncodedSampleBinarySecurityToken
</BinarySecurityToken> </BinarySecurityToken>
</RequestedSecurityToken> </RequestedSecurityToken>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0 <RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID>
</RequestID>
</RequestSecurityTokenResponse> </RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection> </RequestSecurityTokenResponseCollection>
</s:Body> </s:Body>
@ -558,12 +550,12 @@ The following code shows sample provisioning XML (presented in the preceding pac
<characteristic type="Encoded Root Cert Hash Inserted Here"> <characteristic type="Encoded Root Cert Hash Inserted Here">
<parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" /> <parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
</characteristic> </characteristic>
<characteristic type="PrivateKeyContainer"/> <characteristic type="PrivateKeyContainer"/>
<!-- This tag must be present for XML syntax correctness. --> <!-- This tag must be present for XML syntax correctness. -->
</characteristic> </characteristic>
<characteristic type="WSTEP"> <characteristic type="WSTEP">
<characteristic type="Renew"> <characteristic type="Renew">
<!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. --> <!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/> <parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/> <parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/> <parm name="RetryInterval" value="4" datatype="integer"/>
@ -581,8 +573,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
<parm name="MAXBACKOFFTIME" value="120000" /> <parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" /> <parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" /> <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value= <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
"Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
<characteristic type="APPAUTH"> <characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/> <parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/> <parm name="AAUTHTYPE" value="DIGEST"/>
@ -598,25 +589,24 @@ The following code shows sample provisioning XML (presented in the preceding pac
</characteristic> </characteristic>
<characteristic type="DMClient"> <!-- In Windows 10, an enrollment server should use DMClient CSP XML to configure DM polling schedules. --> <characteristic type="DMClient"> <!-- In Windows 10, an enrollment server should use DMClient CSP XML to configure DM polling schedules. -->
<characteristic type="Provider"> <characteristic type="Provider">
<!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics --> <!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
<characteristic type="TestMDMServer"> <characteristic type="TestMDMServer">
<parm name="UPN" value="UserPrincipalName@contoso.com" datatype="string" /> <parm name="UPN" value="UserPrincipalName@contoso.com" datatype="string" />
<characteristic type="Poll"> <parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
<characteristic type="Poll">
<parm name="NumberOfFirstRetries" value="8" datatype="integer" /> <parm name="NumberOfFirstRetries" value="8" datatype="integer" />
<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" /> <parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
<parm name="NumberOfSecondRetries" value="5" datatype="integer" /> <parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" /> <parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" /> <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.--> <!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" /> <parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" /> <parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic> </characteristic>
<parm name="EntDeviceName" value="Administrator_Windows" datatype="string" /> </characteristic>
</characteristic>
</characteristic> </characteristic>
</characteristic> </characteristic>
<!-- For Windows 10, we removed EnterpriseAppManagement from the enrollment <!-- For Windows 10, we removed EnterpriseAppManagement from the enrollment protocol. -->
protocol. -->
</wap-provisioningdoc> </wap-provisioningdoc>
``` ```
@ -627,4 +617,4 @@ The following code shows sample provisioning XML (presented in the preceding pac
- Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
- The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
- Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.