diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index a1d4415f08..f747018cdd 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -1,245 +1,872 @@ --- title: DMClient CSP -description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings. -ms.reviewer: +description: Learn more about the DMClient CSP. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/27/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/01/2017 +ms.topic: reference --- + + + # DMClient CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - + + The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment. + -The following information shows the DMClient CSP in tree format. + +The following example shows the DMClient configuration service provider in tree format. -```console -./Vendor/MSFT -DMClient -----Provider ---------ProviderID -------------EntDeviceName -------------ExchangeID -------------EntDMID -------------SignedEntDMID -------------CertRenewTimeStamp -------------PublisherDeviceID -------------ManagementServiceAddress -------------UPN -------------HelpPhoneNumber -------------HelpWebsite -------------HelpEmailAddress -------------RequireMessageSigning -------------SyncApplicationVersion -------------MaxSyncApplicationVersion -------------Unenroll -------------AADResourceID -------------AADDeviceID -------------AADSendDeviceToken -------------ForceAadToken -------------EnrollmentType -------------EnableOmaDmKeepAliveMessage -------------HWDevID -------------ManagementServerAddressList -------------CommercialID -------------ConfigLock -----------------Lock -----------------UnlockDuration -----------------SecureCore -------------Push -----------------PFN -----------------ChannelURI -----------------Status -------------Poll -----------------IntervalForFirstSetOfRetries -----------------NumberOfFirstRetries -----------------IntervalForSecondSetOfRetries -----------------NumberOfSecondRetries -----------------IntervalForRemainingScheduledRetries -----------------NumberOfRemainingScheduledRetries -----------------PollOnLogin -----------------AllUsersPollOnFirstLogin -------------LinkedEnrollment -----------------Priority -----------------Enroll -----------------Unenroll -----------------EnrollStatus -----------------LastError -------------Recovery -----------------AllowRecovery -----------------RecoveryStatus -----------------InitiateRecovery -------------MultipleSession -----------------NumAllowedConcurrentUserSessionForBackgroundSync -----------------NumAllowedConcurrentUserSessionAtUserLogonSync -----------------IntervalForScheduledRetriesForUserSession -----------------NumberOfScheduledRetriesForUserSession -----Unenroll -----UpdateManagementServiceAddress +```text +./Device/Vendor/MSFT/DMClient +--- HWDevID +--- Provider +------ {ProviderID} +--------- AADDeviceID +--------- AADResourceID +--------- AADSendDeviceToken +--------- CertRenewTimeStamp +--------- CommercialID +--------- ConfigLock +------------ Lock +------------ SecureCore +------------ UnlockDuration +--------- CustomEnrollmentCompletePage +------------ BodyText +------------ HyperlinkHref +------------ HyperlinkText +------------ Title +--------- EnableOmaDmKeepAliveMessage +--------- EnhancedAppLayerSecurity +------------ Cert0 +------------ Cert1 +------------ SecurityMode +------------ UseCertIfRevocationCheckOffline +--------- EnrollmentType +--------- EntDeviceName +--------- EntDMID +--------- ExchangeID +--------- FirstSyncStatus +------------ AllowCollectLogsButton +------------ BlockInStatusPage +------------ CustomErrorText +------------ ExpectedModernAppPackages +------------ ExpectedMSIAppPackages +------------ ExpectedNetworkProfiles +------------ ExpectedPFXCerts +------------ ExpectedPolicies +------------ ExpectedSCEPCerts +------------ IsSyncDone +------------ ServerHasFinishedProvisioning +------------ SkipDeviceStatusPage +------------ SkipUserStatusPage +------------ TimeOutUntilSyncFailure +------------ WasDeviceSuccessfullyProvisioned +--------- ForceAadToken +--------- HelpEmailAddress +--------- HelpPhoneNumber +--------- HelpWebsite +--------- HWDevID +--------- LinkedEnrollment +------------ Enroll +------------ EnrollStatus +------------ LastError +------------ Priority +------------ Unenroll +--------- ManagementServerAddressList +--------- ManagementServerToUpgradeTo +--------- ManagementServiceAddress +--------- MaxSyncApplicationVersion +--------- MultipleSession +------------ IntervalForScheduledRetriesForUserSession +------------ NumAllowedConcurrentUserSessionAtUserLogonSync +------------ NumAllowedConcurrentUserSessionForBackgroundSync +------------ NumberOfScheduledRetriesForUserSession +--------- NumberOfDaysAfterLostContactToUnenroll +--------- Poll +------------ AllUsersPollOnFirstLogin +------------ IntervalForFirstSetOfRetries +------------ IntervalForRemainingScheduledRetries +------------ IntervalForSecondSetOfRetries +------------ NumberOfFirstRetries +------------ NumberOfRemainingScheduledRetries +------------ NumberOfSecondRetries +------------ PollOnLogin +--------- PublisherDeviceID +--------- Push +------------ ChannelURI +------------ PFN +------------ Status +--------- Recovery +------------ AllowRecovery +------------ InitiateRecovery +------------ RecoveryStatus +--------- RequireMessageSigning +--------- SignedEntDMID +--------- SyncApplicationVersion +--------- Unenroll +--------- UPN +--- Unenroll +--- UpdateManagementServiceAddress +./User/Vendor/MSFT/DMClient +--- Provider +------ {ProviderID} +--------- FirstSyncStatus +------------ AllowCollectLogsButton +------------ CustomErrorText +------------ ExpectedModernAppPackages +------------ ExpectedMSIAppPackages +------------ ExpectedNetworkProfiles +------------ ExpectedPFXCerts +------------ ExpectedPolicies +------------ ExpectedSCEPCerts +------------ IsSyncDone +------------ ServerHasFinishedProvisioning +------------ WasDeviceSuccessfullyProvisioned ``` + -**./Vendor/MSFT** -All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path. + +## Device/HWDevID -**DMClient** -Root node for the CSP. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -**UpdateManagementServiceAddress** -For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node. - -**HWDevID** -Added in Windows 10, version 1703. Returns the hardware device ID. - -Supported operation is Get. Value type is string. - -**Provider** -Required. The root node for all settings that belong to a single management server. Scope is permanent. - -Supported operation is Get. - -**Provider/***ProviderID* -Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM provider. As a best practice, use text that doesn’t require XML/URI escaping. - -Supported operations are Get and Add. - -**Provider/*ProviderID*/EntDeviceName** -Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session. - -Supported operations are Get and Add. - -**Provider/*ProviderID*/EntDMID** -Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session. - -Supported operations are Get and Add. - -> [!NOTE] -> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server. -This node is required and must be set by the server before the client certificate renewal is triggered. - -**Provider/*ProviderID*/ExchangeID** -Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for: - -- A device that's managed by Exchange. -- A device that's natively managed by a dedicated management server. - -> [!NOTE] -> In some cases for the desktop, this node will return "not found" until the user sets up their email. - -Supported operation is Get. - -The following XML is a Get command example: - -```xml - - 12 - - - ./Vendor/MSFT/DMClient/Provider//ExchangeID - - - + +```Device +./Device/Vendor/MSFT/DMClient/HWDevID ``` + -**Provider/*ProviderID*/SignedEntDMID** -Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM provider to verify client identity to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally. + + +Returns the hardware device ID. + -Supported operation is Get. + + + -**Provider/*ProviderID*/CertRenewTimeStamp** -Optional. The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created. + +**Description framework properties**: -Supported operation is Get. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -**Provider/*ProviderID*/ManagementServiceAddress** -Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server. It allows the server to load balance to another server when too many devices are connected to the server. + + + -> [!NOTE] -> When the **ManagementServerAddressList** value is set, the device ignores the value. + -The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md). + +## Device/Provider -Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there's only a single URL, then the <> aren't required. This feature is supported on Windows client devices. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session. + +```Device +./Device/Vendor/MSFT/DMClient/Provider +``` + -Supported operations are Add, Get, and Replace. + + +The root node for all settings that belong to a single management server. + -**Provider/*ProviderID*/UPN** -Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user's email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN. + + + -Supported operations are Get and Replace. + +**Description framework properties**: -**Provider/*ProviderID*/HelpPhoneNumber** -Optional. The character string that allows the user experience to include a customized help phone number. Users can see this information if they need help or support. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported operations are Get, Replace, and Delete. + + + -**Provider/*ProviderID*/HelpWebsite** -Optional. The character string that allows the user experience to include a customized help website. Users can see this information if they need help or support. + -Supported operations are Get, Replace, and Delete + +### Device/Provider/{ProviderID} -**Provider/*ProviderID*/HelpEmailAddress** -Optional. The character string that allows the user experience to include a customized help email address. Users can see this information if they need help or support. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Supported operations are Get, Replace, and Delete. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID} +``` + -**Provider/*ProviderID*/RequireMessageSigning** -Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included in the authenticated attributes in the signature. + + +This node contains the URI-encoded value of the bootstrapped device management account's Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn't require XML/URI escaping. + -Default value is false, where the device management client doesn't include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header. + + + -When enabled, the MDM provider should: + +**Description framework properties**: -- Validate the signature and the timestamp using the device identify certificate enrolled as part of Mobile Device Enrollment protocol (MS-MDE). -- Ensure the certificate and time are valid. -- Verify that the signature is trusted by the MDM provider. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + -Supported operations are Get, Replace, and Delete. + + + -**Provider/*ProviderID*/SyncApplicationVersion** -Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there's a client behavior change between 1.0 and 2.0. + -> [!NOTE] -> This node is only supported in Windows 10 and later. + +#### Device/Provider/{ProviderID}/AADDeviceID -Once you set the value to 2.0, it won't go back to 1.0. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -Supported operations are Get, Replace, and Delete. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADDeviceID +``` + -**Provider/*ProviderID*/MaxSyncApplicationVersion** -Optional. Used by the client to indicate the latest DM session version that it supports. Default is 2.0. + + +Device ID used for AAD device registration. + -When you query this node, a Windows 10 client will return 2.0 and a Windows 8.1 client will return an error code (404 node not found). + + + -Supported operation is Get. + +**Description framework properties**: -**Provider/*ProviderID*/AADResourceID** -Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + +#### Device/Provider/{ProviderID}/AADResourceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADResourceID +``` + + + + +This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access. + + + + For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](../azure-active-directory-integration-with-mdm.md). + -**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage** -Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. + +**Description framework properties**: -When the server sends a configuration request, the client can take longer than the HTTP timeout to get all information together. The session might end unexpectedly because of the timeout. By default, the MDM client doesn't send an alert that a DM request is pending. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + -To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. Send a SyncML message with a specific device alert element in the body until the client can respond back to the server with the requested information. + + + + + + + +#### Device/Provider/{ProviderID}/AADSendDeviceToken + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/AADSendDeviceToken +``` + + + + +For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Do not send Device Token if User Token cannot be obtained. | +| true | Send Device Token if User Token cannot be obtained. | + + + + + + + + + +#### Device/Provider/{ProviderID}/CertRenewTimeStamp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CertRenewTimeStamp +``` + + + + +The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/CommercialID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CommercialID +``` + + + + +Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/ConfigLock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock +``` + + + + + + + + +This node enables [Config Lock](../config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected. + +> [!NOTE] +> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigLock/Lock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/Lock +``` + + + + +This node specifies how the client will perform the lock mode for SecureCore PC. 0: unlock; 1: lock. The default value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Unlock. | +| 1 | Lock. | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigLock/SecureCore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/SecureCore +``` + + + + +The node returns the boolean value whether the device is a SecureCore PC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigLock/UnlockDuration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigLock/UnlockDuration +``` + + + + +This node, when it is set, tells the client to set how many minutes the device should be temporarily unlocked from SecureCore settings protection. The default value is 480. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 480 | + + + + + + + + + +#### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage +``` + + + + +These nodes provision custom text for the enrollment page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/BodyText + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/BodyText +``` + + + + +Specifies the body text of the all done page that appears at the end of the MDM enrollment flow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkHref + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkHref +``` + + + + +Specifies the URL that is shown at the end of the MDM enrollment flow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkText + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/HyperlinkText +``` + + + + +Specifies the display text for the URL that is shown at the end of the MDM enrollment flow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage/Title + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/CustomEnrollmentCompletePage/Title +``` + + + + +Specifies the title of the all done page that appears at the end of the MDM enrollment flow. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/EnableOmaDmKeepAliveMessage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnableOmaDmKeepAliveMessage +``` + + + + +A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending. To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Enable message. | +| true | Disable message. | + + + + +**Example**: Here's an example of DM message sent by the device when it's in pending state: @@ -271,32 +898,1603 @@ Here's an example of DM message sent by the device when it's in pending state: ``` + -**Provider/*ProviderID*/AADDeviceID** -Added in Windows 10, version 1607. Returns the device ID for the Azure AD device registration. + -Supported operation is Get. + +#### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity -**Provider/*ProviderID*/EnrollmentType** -Added in Windows 10, version 1607. Returns the enrollment type (Device or Full). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -Supported operation is Get. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity +``` + -**Provider/*ProviderID*/HWDevID** -Added in Windows 10, version 1607. Returns the hardware device ID. + + + -Supported operation is Get. + + + -**Provider/*ProviderID*/CommercialID** -Added in Windows 10, version 1607. It configures the identifier that uniquely associates the device's diagnostic data belonging to the organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting is provided by Microsoft in the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft can't use this identifier to associate this machine and its diagnostic data with your organization. + +**Description framework properties**: -Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -**Provider/*ProviderID*/ManagementServerAddressList** -Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there's only one, the angle brackets (<>) aren't required. + + + + + + +##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert0 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert0 +``` + + + + +The node contains the primary certificate - the public key to use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/Cert1 +``` + + + + +The node contains the secondary certificate - the public key to use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/SecurityMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/SecurityMode +``` + + + + +This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No op. | +| 1 | Sign only. | +| 2 | Encrypt only. | +| 3 | Sign and encrypt. | + + + + + + + + + +##### Device/Provider/{ProviderID}/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline +``` + + + + +This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | False. | +| true | True. | + + + + + + + + + +#### Device/Provider/{ProviderID}/EnrollmentType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EnrollmentType +``` + + + + +Type of MDM enrollment (Device or Full). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/Provider/{ProviderID}/EntDeviceName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EntDeviceName +``` + + + + +Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/EntDMID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/EntDMID +``` + + + + +Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session. + + + + > [!NOTE] -> The < and > should be escaped. +> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP's **USEHWDEVID** node by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server. This node is required and must be set by the server before the client certificate renewal is triggered. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/ExchangeID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ExchangeID +``` + + + + +Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server. + + + + +> [!NOTE] +> In some cases, this node will return "not found" until the user sets up their email. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +**Example**: + +```xml + + 12 + + + ./Vendor/MSFT/DMClient/Provider//ExchangeID + + + +``` + + + + + +#### Device/Provider/{ProviderID}/FirstSyncStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton +``` + + + + +This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Do not show the Collect Logs button on the progress page. | +| true | Show the Collect Logs button on the progress page. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/BlockInStatusPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/BlockInStatusPage +``` + + + + +Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Flag | Description | +|:--|:--| +| 0x0 | Allow the user to exit the page before provisioning completes. | +| 0x1 | Block the user on the page and show the Reset PC button on failure. | +| 0x2 | Block the user on the page and show the Try Again button on failure. | +| 0x4 | Block the user on the page and show the Continue Anyway button on failure. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText +``` + + + + +This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages +``` + + + + +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages +``` + + + + +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles +``` + + + + +This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts +``` + + + + +This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies +``` + + + + +This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts +``` + + + + +This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone +``` + + + + +This node, when doing a get, tells the server if the "First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | The device is not finished provisioning. | +| true | The device has finished provisoining. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning +``` + + + + +This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can "change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Server has not finished provisioning. | +| true | Server has finished provisioning. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/SkipDeviceStatusPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/SkipDeviceStatusPage +``` + + + + +Device only. This node decides whether or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Do not skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. | +| true (Default) | Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/SkipUserStatusPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/SkipUserStatusPage +``` + + + + +Device only. This node decides whether or not the MDM user progress page skips after AADJ or DJ++ after user login. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | true | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Do not skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. | +| true (Default) | Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/TimeOutUntilSyncFailure + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/TimeOutUntilSyncFailure +``` + + + + +This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Allowed Values | Range: `[1-1440]` | +| Default Value | 60 | + + + + + + + + + +##### Device/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned +``` + + + + +Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The device has failed to provision the device. | +| 1 | The device has successfully provisioned the device. | +| 2 | Provisioning is in progress. | + + + + + + + + + +#### Device/Provider/{ProviderID}/ForceAadToken + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1766] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1766] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1766] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.739] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ForceAadToken +``` + + + + +Force device to send device AAD token during check-in as a separate header. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | ForceAadTokenNotDefined: the value is not defined(default). | +| 1 | AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during check-in as a separate header section(not as Bearer token). | +| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during check-in as a separate header section(not as Bearer toekn). | +| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token. | +| 8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. | + + + + + + + + + +#### Device/Provider/{ProviderID}/HelpEmailAddress + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpEmailAddress +``` + + + + +The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/HelpPhoneNumber + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpPhoneNumber +``` + + + + +The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/HelpWebsite + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HelpWebsite +``` + + + + +The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/HWDevID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/HWDevID +``` + + + + +Returns the hardware device ID. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +#### Device/Provider/{ProviderID}/LinkedEnrollment + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment +``` + + + + +The interior node for linked enrollment. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/Enroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Enroll +``` + + + + +Trigger to enroll for the Linked Enrollment. + + + + +This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/EnrollStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/EnrollStatus +``` + + + + +Returns the current enrollment or un-enrollment status of the linked enrollment. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Undefined. | +| 1 | Enrollment Not started. | +| 2 | Enrollment In Progress. | +| 3 | Enrollment Failed. | +| 4 | Enrollment Succeeded. | +| 5 | Unenrollment Not started. | +| 6 | UnEnrollment In Progress. | +| 7 | UnEnrollment Failed. | +| 8 | UnEnrollment Succeeded. | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/LastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/LastError +``` + + + + +return the last error for enroll/unenroll. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/Priority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Priority +``` + + + + +Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for mdm settings and resources, 1 means the linked enrollment has authority. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The main enrollment has priority over linked enrollment. | +| 1 | The linked enrollment has priority over the main enrollment. | + + + + + + + + + +##### Device/Provider/{ProviderID}/LinkedEnrollment/Unenroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042.2193] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.2193] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044.2193] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.918] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/LinkedEnrollment/Unenroll +``` + + + + +Trigger Unenroll for the Linked Enrollment. + + + + +This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +#### Device/Provider/{ProviderID}/ManagementServerAddressList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServerAddressList +``` + + + + +The list of management server URLs in the format `` `` ``, and so on. If there is only one, the angle brackets (<>) are not required. The < and > should be escaped. If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + +**Example**: ```xml @@ -311,525 +2509,1285 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo ``` + -If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. + -When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list. + +#### Device/Provider/{ProviderID}/ManagementServerToUpgradeTo -Supported operations are Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Value type is string. - -**Provider/*ProviderID*/ManagementServerToUpgradeTo** -Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll** -Optional. Number of days after last successful sync to unenroll. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is integer. - -**Provider/*ProviderID*/AADSendDeviceToken** - -Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is bool. - -**Provider/*ProviderID*/ForceAadToken** -The value type is integer/enum. - -The value is "1" and it means client should always send Azure Active Directory device token during check-in/sync. - -**Provider/*ProviderID*/Poll** -Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. - -Supported operations are Get and Add. - -There are three schedules managed under the Poll node. They enable a rich polling schedule experience to provide greater flexibility in managing the way devices poll the management server. There are various ways that polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules to restore the polling schedules back to a valid configuration. - -If there's no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window. - -**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).** - -|Schedule name|Schedule set by the server|Actual value queried on device| -|--- |--- |--- | -|IntervalForFirstSetOfRetries|15|15| -|NumberOfFirstRetries|5|5| -|IntervalForSecondSetOfRetries|60|60| -|NumberOfSecondRetries|10|10| -|IntervalForRemainingScheduledRetries|1440|1440| -|NumberOfRemainingScheduledRetries|0|0| - -**Valid poll schedule: initial enrollment only [no infinite schedule]** - -|Schedule name|Schedule set by the server|Actual value queried on device| -|--- |--- |--- | -|IntervalForFirstSetOfRetries|15|15| -|NumberOfFirstRetries|5|5| -|IntervalForSecondSetOfRetries|60|60| -|NumberOfSecondRetries|10|10| -|IntervalForRemainingScheduledRetries|0|0| -|NumberOfRemainingScheduledRetries|0|0| - -**Invalid poll schedule: disable all poll schedules** - -> [!NOTE] -> Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero. - -|Schedule name|Schedule set by the server|Actual value queried on device| -|--- |--- |--- | -|IntervalForFirstSetOfRetries|0|0| -|NumberOfFirstRetries|0|0| -|IntervalForSecondSetOfRetries|0|0| -|NumberOfSecondRetries|0|0| -|IntervalForRemainingScheduledRetries|0|0| -|NumberOfRemainingScheduledRetries|0|0| - -**Invalid poll schedule: two infinite schedules** - -|Schedule name|Schedule set by server|Actual schedule set on device|Actual experience| -|--- |--- |--- |--- | -|IntervalForFirstSetOfRetries|15|15|Device polls| -|NumberOfFirstRetries|5|5|Device polls| -|IntervalForSecondSetOfRetries|1440|1440|Device polls the server once in 24 hours| -|NumberOfSecondRetries|0|0|Device polls the server once in 24 hours| -|IntervalForRemainingScheduledRetries|1440|0|Third schedule is disabled| -|NumberOfRemainingScheduledRetries|0|0|Third schedule is disabled| - -If the device was previously enrolled in MDM with polling schedule configured using the registry key values directly, the MDM provider that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters using the DMClient CSP - -When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all three number of retry nodes to 0. It will cause a configuration failure. - -**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries** -Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfFirstRetries`. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled. - -Supported operations are Get and Replace. - -The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously used the Registry CSP. - -**Provider/*ProviderID*/Poll/NumberOfFirstRetries** -Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10. - -Supported operations are Get and Replace. - -The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously used the Registry CSP. - -The first set of retries gives the management server some buffered time to be ready to send policy and setting configurations to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to 0. RemainingScheduledRetries is used for the long run device polling schedule. - -**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries** -Optional. The waiting time (in minutes) for the second set of retries, which is the number of retries in `//Poll/NumberOfSecondRetries`. Default value is 0. If this value is set to zero, then this schedule is disabled. - -Supported operations are Get and Replace. - -The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously used the Registry CSP. - -**Provider/*ProviderID*/Poll/NumberOfSecondRetries** -Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. - -Supported operations are Get and Replace. - -The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously used the Registry CSP. - -The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule. - -**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries** -Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfRemainingScheduledRetries`. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled. - -Supported operations are Get and Replace. - -The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously used the Registry CSP. - -**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries** -Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. - -Supported operations are Get and Replace. - -The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously used the Registry CSP. - -The RemainingScheduledRetries is used for the long run device polling schedule. - -**Provider/*ProviderID*/Poll/PollOnLogin** -Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, even if the user has previously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. - -Supported operations are Add, Get, and Replace. - -**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin** -Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system. Later sign-ins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. - -Supported operations are Add, Get, and Replace. - -**Provider/*ProviderID*/LinkedEnrollment/Priority** -This node is an integer, value is "0" or "1". - -Default is 1, meaning the MDM enrollment is the “winning” authority for conflicting policies/resources. Value 1 means MMP-C enrollment is the “winning” one. -Support operations are Get and Set. - -**Provider/*ProviderID*/LinkedEnrollment/Enroll** -This is an execution node and will trigger a silent MMP-C enrollment, using the Azure Active Directory device token pulled from the Azure AD-joined device. There is no user interaction needed. - -Support operation is Exec. - -**Provider/*ProviderID*/LinkedEnrollment/Unenroll** -This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back(rollback details will be covered later). - -Support operation is Exec. - -**Provider/*ProviderID*/LinkedEnrollment/EnrollStatus** - -This node can be used to check both enroll and unenroll statuses. -This will return the enroll action status and is defined as an enum class LinkedEnrollmentStatus. The values are as follows: - -- Undefined = 0 -- EnrollmentNotStarted = 1 -- InProgress = 2 -- Failed = 3 -- Succeeded = 4 -- UnEnrollmentQueued = 5 -- UnEnrollmentSucceeded = 8 - -Support operation is Get only. - -**Provider/*ProviderID*/LinkedEnrollment/LastError** - -This specifies the Hresult to report the enrollment/unenroll results. - -**Provider/*ProviderID*/Recovery/AllowRecovery** - -This node determines whether or not the client will automatically initiate an MDM Recovery operation when it detects issues with the MDM certificate. - -Supported operations are Get, Add, Replace and Delete. - -The supported values for this node are 1-true (allow) and 0-false(not allow). Default value is 0. - -**Provider/*ProviderID*/Recovery/RecoveryStatus** - -This node tracks the status of a Recovery request from the InitiateRecovery node. The values are as follows: - -0 - No Recovery request has been processed. -1 - Recovery is in Process. -2 - Recovery has finished successfully. -3 - Recovery has failed to start because TPM is not available. -4 - Recovery has failed to start because Azure Active Directory keys are not protected by the TPM. -5 - Recovery has failed to start because the MDM keys are already protected by the TPM. -6 - Recovery has failed to start because the TPM is not ready for attestation. -7 - Recovery has failed because the client cannot authenticate to the server. -8 - Recovery has failed because the server has rejected the client's request. - -Supported operation is Get only. - -**Provider/*ProviderID*/Recovery/InitiateRecovery** - -This node initiates an MDM Recovery operation on the client. - -If initiated with argument 0, it triggers MDM Recovery, no matter the state of the device. - -If initiated with argument 1, it triggers only if the MDM certificate’s private key isn’t already protected by the TPM, if there is a TPM to put the private key into, and if the TPM is ready for attestation. - -Supported operation is Exec only. - -**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync** - -Optional. This node specifies maximum number of concurrent user sync sessions in background. - -The default value is dynamically decided by the client based on CPU usage. - -The values are as follows: -0 = none -1 = sequential -anything else = parallel - -Supported operations are Get, Add, Replace and Delete. - -Value type is integer. Only applicable for Windows Enterprise multi-session. - - -**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync** -Optional. This node specifies maximum number of concurrent user sync sessions at User Login. - -The default value is dynamically decided by the client based on CPU usage. - -The values are as follows: -0 = none -1 = sequential -anything else = parallel. - -Supported operations are Get, Add, Replace and Delete. - -Value type is integer. Only applicable for Windows Enterprise multi-session. - -**Provider/*ProviderID*/MultipleSession/IntervalForScheduledRetriesForUserSession** -Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `//Poll/NumberOfScheduledRetriesForUserSession`. - -If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 0. If the value is set to 0, this schedule is disabled. - -This configuration is only applicable for Windows Multi-session Editions. - -Supported operations are Get and Replace. - -**Provider/*ProviderID*/MultipleSession/NumberOfScheduledRetriesForUserSession** -Optional. This node specifies the number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. - -If the value is set to 0 and the IntervalForScheduledRetriesForUserSession value is not 0, then the schedule will be set to repeat an infinite number of times. - -The default value is 0. This configuration is only applicable for Windows Multi-session Editions. - -Supported operations are Get and Replace. - -**Provider/*ProviderID*/ConfigLock** - -Optional. This node enables [Config Lock](../config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected. - -Default = Locked - -> [!Note] -> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure). - -**Provider/*ProviderID*/ConfigLock/Lock** - -The supported values for this node are 0-unlock, 1-lock. - -Supported operations are Add, Delete, Get. - -**Provider/*ProviderID*/ConfigLock/UnlockDuration** - -The supported values for this node are 1 to 480 (in min). - -Supported operations are Add, Delete, Get. - -**Provider/*ProviderID*/ConfigLock/SecureCore** - -The supported values for this node are false or true. - -Supported operation is Get only. - -**Provider/*ProviderID*/Push** -Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported. - -Supported operations are Add and Delete. - -**Provider/*ProviderID*/Push/PFN** -Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing. - -Supported operations are Add, Get, and Replace. - -**Provider/*ProviderID*/Push/ChannelURI** -Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device, based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null. - -Supported operation is Get. - -**Provider/*ProviderID*/Push/Status** -Required. An integer that maps to a known error state or condition on the system. - -Supported operation is Get. - -The status error mapping is listed below. - -|Status|Description| -|--- |--- | -|0|Success| -|1|Failure: invalid PFN| -|2|Failure: invalid or expired device authentication with Microsoft account| -|3|Failure: WNS client registration failed due to an invalid or revoked PFN| -|4|Failure: no Channel URI assigned| -|5|Failure: Channel URI has expired| -|6|Failure: Channel URI failed to be revoked| -|7|Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.| -|8|Unknown error| - -**Provider/*ProviderID*/CustomEnrollmentCompletePage** -Optional. Added in Windows 10, version 1703. - -Supported operations are Add, Delete, and Get. - -**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title** -Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText** -Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref** -Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText** -Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/FirstSyncStatus** -Optional node. Added in Windows 10, version 1709. - -**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000". - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps. - -Supported operations are Add, Delete, Get, and Replace. - -Value type is string. - -**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, - -``` syntax -./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" -./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServerToUpgradeTo ``` + -This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps. + + +Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device. + -Supported operations are Add, Delete, Get, and Replace. + + + -Value type is string. + +**Description framework properties**: -**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Supported operations are Add, Delete, Get, and Replace. + + + -Value type is string. + -**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts** -Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + +#### Device/Provider/{ProviderID}/ManagementServiceAddress -Supported operations are Add, Delete, Get, and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Value type is string. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ManagementServiceAddress +``` + -**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure** -Required. Added in Windows 10, version 1709. This node determines how long we'll poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + + +The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server. The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION](w7-application-csp.md) configuration service provider. Starting in Windows 10, version 1511, this node supports multiple server addresses in the format `` `` ``. If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices. During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session. + -Supported operations are Get and Replace. + + +> [!NOTE] +> When the **ManagementServerAddressList** value is set, the device ignores the value. + -Value type is integer. + +**Description framework properties**: -**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning** -Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Dependency [ManageServerAddressListBlock] | Dependency Type: `Not`
Dependency URI: `Device/Vendor/MSFT/DMClient/Provider/[ProviderID]/ManagementServerAddressList`
Dependency Allowed Value Type: `None`
| + -Supported operations are Get and Replace. + + + -Value type is boolean. + -**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone** -Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + +#### Device/Provider/{ProviderID}/MaxSyncApplicationVersion -Supported operations are Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Value type is boolean. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MaxSyncApplicationVersion +``` + -**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned** -Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + +Used by the client to indicate the latest DM session version that it supports. + -Supported operations are Get and Replace. + + + -Value type is integer. + +**Description framework properties**: -**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage** -Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + -Supported operations are Get and Replace. + + + -Value type is integer. + -**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton** -Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button. + +#### Device/Provider/{ProviderID}/MultipleSession -Supported operations are Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Value type is bool. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession +``` + -**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText** -Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error. + + + -Supported operations are Add, Get, Delete, and Replace. + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + -Value type is string. + +**Description framework properties**: -**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage** -Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE. +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + -Supported operations are Get and Replace. + + + -Value type is bool. + -**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage** -Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login. + +##### Device/Provider/{ProviderID}/MultipleSession/IntervalForScheduledRetriesForUserSession -Supported operations are Get and Replace. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Value type is bool. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/IntervalForScheduledRetriesForUserSession +``` + -**Provider/*ProviderID*/EnhancedAppLayerSecurity** -Required node. Added in Windows 10, version 1709. + + +The waiting time (in minutes) for the initial set of retries as specified by the number of retries in NumberOfScheduledRetriesForUserSession. If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. Default value is 1440. If the value is 0, this schedule is disabled. + -Supported operation is Get. + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + -**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode** -Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + +**Description framework properties**: -Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -Value type is integer. + + + -**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline** -Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set. + -Supported operations are Add, Get, Replace, and Delete. + +##### Device/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync -Value type is boolean. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0** -Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use. + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync +``` + -Supported operations are Add, Get, Replace, and Delete. + + +Optional. Maximum number of concurrent user sync sessions at User Login. Default value is 25. 0 none, 1 sequential, anything else: parallel. + -Value type is string. + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + -**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1** -Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use. + +**Description framework properties**: -Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -Value type is string. + + + -**Provider/*ProviderID*/Unenroll** -Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent. + -Supported operations are Get and Exec. + +##### Device/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync -<LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync +``` + + + + +Optional. Maximum number of concurrent user sync sessions in background. Default value is 25. 0 none, 1 sequential, anything else: parallel. + + + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/MultipleSession/NumberOfScheduledRetriesForUserSession + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/MultipleSession/NumberOfScheduledRetriesForUserSession +``` + + + + +The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is 0 and IntervalForScheduledRetriesForUserSession is not 0, then the schedule will be set to repeat for an infinite number of times. + + + + +> [!NOTE] +> Only applicable for Windows Enterprise multi-session. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/NumberOfDaysAfterLostContactToUnenroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/NumberOfDaysAfterLostContactToUnenroll +``` + + + + +Number of days after last successful sync to unenroll. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/Poll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll +``` + + + + +Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration. If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/AllUsersPollOnFirstLogin + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/AllUsersPollOnFirstLogin +``` + + + + +Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Polling is disabled on first login. | +| true | Polling is enabled on first login. | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/IntervalForFirstSetOfRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForFirstSetOfRetries +``` + + + + +The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /``/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/IntervalForRemainingScheduledRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForRemainingScheduledRetries +``` + + + + +The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /``/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/IntervalForSecondSetOfRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/IntervalForSecondSetOfRetries +``` + + + + +The waiting time (in minutes) for the second set of retries as specified by the number of retries in /``/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/NumberOfFirstRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfFirstRetries +``` + + + + +The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10. The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/NumberOfRemainingScheduledRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfRemainingScheduledRetries +``` + + + + +The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/NumberOfSecondRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/NumberOfSecondRetries +``` + + + + +The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Poll/PollOnLogin + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Poll/PollOnLogin +``` + + + + +Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Polling is disabled on first login. | +| true | Polling is enabled on first login. | + + + + + + + + + +#### Device/Provider/{ProviderID}/PublisherDeviceID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/PublisherDeviceID +``` + + + + +The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/``/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises' applications, each enterprise is identified differently. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/Push + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push +``` + + + + +Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/Push/ChannelURI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/ChannelURI +``` + + + + +A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/Push/PFN + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/PFN +``` + + + + +A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +##### Device/Provider/{ProviderID}/Push/Status + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Push/Status +``` + + + + +An integer that maps to a known error state or condition on the system. Valid values are: 0 - Success, 1 - Failure: invalid PFN, 2 - Failure: invalid or expired device authentication with MSA, 3 - Failure: WNS client registration failed due to an invalid or revoked PFN, 4 - Failure: no Channel URI assigned, 5 - Failure: Channel URI has expired, 6 - Failure: Channel URI failed to be revoked, 7 - Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations, 8 - Unknown error. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +#### Device/Provider/{ProviderID}/Recovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery +``` + + + + +Parent node for Recovery nodes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/Recovery/AllowRecovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/AllowRecovery +``` + + + + +This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | MDM Recovery is allowed. | +| 0 (Default) | MDM Recovery is not allowed. | + + + + + + + + + +##### Device/Provider/{ProviderID}/Recovery/InitiateRecovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/InitiateRecovery +``` + + + + +This node initiates a recovery action. The server can specify prerequisites before the action is taken. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Exec | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Initiate MDM Recovery. | +| 1 | Initiate Recovery if Keys are not already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation. | + + + + + + + + + +##### Device/Provider/{ProviderID}/Recovery/RecoveryStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1165] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Recovery/RecoveryStatus +``` + + + + +This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM is not available. 4 - Recovery has failed to start because AAD keys are not protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM is not ready for attestation. 7 - Recovery has failed because the client cannot authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | +| Default Value | 0 | + + + + + + + + + +#### Device/Provider/{ProviderID}/RequireMessageSigning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/RequireMessageSigning +``` + + + + +Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature. When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | The device management client does not include authentication information in the management session HTTP header. | +| true | The client authentication information is provided in the management session HTTP header. | + + + + + + + + + +#### Device/Provider/{ProviderID}/SignedEntDMID + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/SignedEntDMID +``` + + + + +Character string that contains the device ID. This node and the nodes CertRenewTimeStamp can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the EntDMID with the old client certificate during the certificate renewal process and saves the signature locally. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +#### Device/Provider/{ProviderID}/SyncApplicationVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/SyncApplicationVersion +``` + + + + +Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0. + + + + +> [!NOTE] +> Once you set the value to 2.0, it won't go back to 1.0. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Regular Expression: `^(\d\.)?(\d)$` | +| Default Value | 1.0 | + + + + + + + + + +#### Device/Provider/{ProviderID}/Unenroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/Unenroll +``` + + + + +The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. + + + + +> [!NOTE] +> `./Vendor/MSFT/DMClient/Unenroll` is supported for backward compatibility. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec, Get | + + + + +**Example**: The following SyncML shows how to remotely unenroll the device. This command should be inserted in the general DM packages sent from the server to the device. @@ -848,7 +3806,724 @@ The following SyncML shows how to remotely unenroll the device. This command sho ``` + + + + + +#### Device/Provider/{ProviderID}/UPN + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/UPN +``` + + + + +Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Get, Replace | + + + + + + + + + +## Device/Unenroll + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/Unenroll +``` + + + + +The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec, Get | + + + + + + + + + +## Device/UpdateManagementServiceAddress + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/DMClient/UpdateManagementServiceAddress +``` + + + + +For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + + + + + + + +## User/Provider + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider +``` + + + + +The root node for all settings that belong to a single management server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Get | + + + + + + + + + +### User/Provider/{ProviderID} + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID} +``` + + + + +This node contains the URI-encoded value of the bootstrapped device management account's Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn't require XML/URI escaping. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | +| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | + + + + + + + + + +#### User/Provider/{ProviderID}/FirstSyncStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/AllowCollectLogsButton +``` + + + + +This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false (Default) | Do not show the Collect Logs button on the progress page. | +| true | Show the Collect Logs button on the progress page. | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/CustomErrorText +``` + + + + +This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get, Replace | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedModernAppPackages +``` + + + + +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedMSIAppPackages +``` + + + + +This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedNetworkProfiles +``` + + + + +This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPFXCerts +``` + + + + +This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedPolicies +``` + + + + +This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ExpectedSCEPCerts +``` + + + + +This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `\xF000`) | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/IsSyncDone +``` + + + + +This node, when doing a get, tells the server if the "First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | The user is not finished provisioning. | +| true | The user has finished provisoining. | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/ServerHasFinishedProvisioning +``` + + + + +This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can "change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| false | Server has not finished provisioning. | +| true | Server has finished provisioning. | + + + + + + + + + +##### User/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/DMClient/Provider/{ProviderID}/FirstSyncStatus/WasDeviceSuccessfullyProvisioned +``` + + + + +Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The device has failed to provision the user. | +| 1 | The device has successfully provisioned the user. | +| 2 | Provisioning is in progress. | + + + + + + + + + + + + + ## Related articles -[Configuration service provider reference](index.yml) +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 4f66124b30..b5ef6feff0 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1,1906 +1,916 @@ --- title: DMClient DDF file -description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP). -ms.reviewer: +description: View the XML file containing the device description framework (DDF) for the DMClient configuration service provider. +author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 02/24/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/05/2017 +ms.topic: reference --- + + # DMClient DDF file - -This topic shows the OMA DM device description framework (DDF) for the **DMClient** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md). - -The XML below is for Windows 10, version 1803. +The following XML file contains the device description framework (DDF) for the DMClient configuration service provider. ```xml -]> +]> 1.2 + + + + DMClient + ./User/Vendor/MSFT + + + + + Root node for the CSP. + + + + + + + + + + + + + + 10.0.10240 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Provider + + + + + The root node for all settings that belong to a single management server. + + + + + + + + + + + + + - DMClient - ./User/Vendor/MSFT + + + + + This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping. - + - + + ProviderID - com.microsoft/1.5/MDM/DMClient + + + + + + - Provider + FirstSyncStatus + + - + - + - + + + 10.0.16299 + 1.4 + - + ExpectedPolicies + + This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. - + - + - text/plain + + + + + + + + ExpectedNetworkProfiles + + + + + + + + This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user. + + + + + + + + + + + + + + + + + + + ExpectedMSIAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user. + + + + + + + + + + + + + + + + + + + ExpectedModernAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user. + + + + + + + + + + + + + + + + + + + ExpectedPFXCerts + + + + + + + + This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + + + + + + + + + + + + + ExpectedSCEPCerts + + + + + + + + This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. + + + + + + + + + + + + + + + + + + + ServerHasFinishedProvisioning + + + + + + This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. + + + + + + + + + + + + + + + false + Server has not finished provisioning + + + true + Server has finished provisioning + + + + + + IsSyncDone + + + + + + This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + false + The user is not finished provisioning + + + true + The user has finished provisoining. + + + + + + WasDeviceSuccessfullyProvisioned + + + + + + Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + 0 + The device has failed to provision the user + + + 1 + The device has successfully provisioned the user. + + + 2 + Provisoining is in progress. + + + + + + AllowCollectLogsButton + + + + + + false + This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not show the Collect Logs button on the progress page. + + + true + Show the Collect Logs button on the progress page. + + + + + + CustomErrorText + + + + + + This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + - - FirstSyncStatus - - - - - - - - - - - - - - - - - - - - - ExpectedPolicies - - - - - - - - This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedNetworkProfiles - - - - - - - - This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedMSIAppPackages - - - - - - - - This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedModernAppPackages - - - - - - - - This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedPFXCerts - - - - - - - - This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. - - - - - - - - - - - text/plain - - - - - ExpectedSCEPCerts - - - - - - - - This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). This is per user. - - - - - - - - - - - text/plain - - - - - ServerHasFinishedProvisioning - - - - - - This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. - - - - - - - - - - - text/plain - - - - - IsSyncDone - - - - - - This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - text/plain - - - - - WasDeviceSuccessfullyProvisioned - - - - - - Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - text/plain - - - - - AllowCollectLogsButton - - - - - - false - This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - - - - text/plain - - - - - CustomErrorText - - - - - - - - This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - - - - text/plain - - - - + + + + DMClient + ./Device/Vendor/MSFT + + + + + Root node for the CSP. + + + + + + + + + + + + + + 10.0.10240 + 1.0 + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + + + + Provider + + + + + The root node for all settings that belong to a single management server. + + + + + + + + + + + + + - DMClient - ./Device/Vendor/MSFT + + + + + This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping. - + - + + ProviderID - com.microsoft/1.4/MDM/DMClient + + + + + + - Provider + EntDeviceName + + + + + + + + Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session. + + + + + + + + + + + + + + + + + + ExchangeID + + + + + + + + Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server. + + + + + + + + + + + + + + + + + + EntDMID + + + + + + + + Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session. + + + + + + + + + + + + + + + + + + SignedEntDMID + + + + + + + + Character string that contains the device ID. This node and the nodes CertRenewTimeStamp can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the EntDMID with the old client certificate during the certificate renewal process and saves the signature locally. + + + + + + + + + + + + + + + + + + CertRenewTimeStamp + + + + + + + + The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created. + + + + + + + + + + + + + + + + + + PublisherDeviceID + + + + + + + + /EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises’ applications, each enterprise is identified differently.]]> + + + + + + + + + + + + + + + + + + ManagementServiceAddress + + + + + + . If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices. During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session.]]> + + + + + + + + + + + + + + + + + + Device/Vendor/MSFT/DMClient/Provider/[ProviderID]/ManagementServerAddressList + + + + + + + + + UPN + + + + + + + Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN. + + + + + + + + + + + + + + + + + + HelpPhoneNumber + + + + + + + + The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support. + + + + + + + + + + + + + + + + + + HelpWebsite + + + + + + + + The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support. + + + + + + + + + + + + + + + + + + HelpEmailAddress + + + + + + + + The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support. + + + + + + + + + + + + + + + + + + RequireMessageSigning + + + + + + + + false + Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature. When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server. + + + + + + + + + + + + + + + false + The device management client does not include authentication information in the management session HTTP header. + + + true + The client authentication information is provided in the management session HTTP header. + + + + + + SyncApplicationVersion + + + + + + + + 1.0 + Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0. + + + + + + + + + + + + + + ^(\d\.)?(\d)$ + + + + + MaxSyncApplicationVersion + Used by the client to indicate the latest DM session version that it supports. - + - + - + - + - - - - - - - - - - - - - - - - - - - text/plain - - - - EntDeviceName - - - - - - - - - - - - - - - - - - text/plain - - - - - ExchangeID - - - - - - - - - - - - - - - - - - text/plain - - - - - EntDMID - - - - - - - - - - - - - - - - - - text/plain - - - - - SignedEntDMID - - - - - - - - - - - - - - - - - - text/plain - - - - - CertRenewTimeStamp - - - - - - - - - - - - - - - - - - text/plain - - - - - - PublisherDeviceID - - - - - - - - - - - - - - - - - - text/plain - - - - - - ManagementServiceAddress - - - - - - - - - - - - - - - - text/plain - - - - - UPN - - - - - - - - - - - - - - - - - text/plain - - - - - HelpPhoneNumber - - - - - - - - - - - - - - - - - - text/plain - - - - - HelpWebsite - - - - - - - - - - - - - - - - - - text/plain - - - - - HelpEmailAddress - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireMessageSigning - - - - - - - - - - - - - - - - - - text/plain - - - - - SyncApplicationVersion - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxSyncApplicationVersion - - - - - - - - - - - - - - - text/plain - - - - - Unenroll - - - - - - - - - - - - - - - - text/plain - - - - - AADResourceID - - - - - - - - - - - - - - - - - text/plain - - - - - AADDeviceID - - - - - Device ID used for AAD device registration - - - - - - - - - - - text/plain - - - - - EnrollmentType - - - - - Type of MDM enrollment - - - - - - - - - - - text/plain - - - - - EnableOmaDmKeepAliveMessage - - - - - - - - - - - - - - - - text/plain - - - - - HWDevID - - - - - - - - - - - - - - - text/plain - - - - - ManagementServerAddressList - - - - - - - - - - - - - - - - text/plain - - - - - CommercialID - - - - - - - - - - - - - - - - - - text/plain - - - - - ManagementServerToUpgradeTo - - - - - - - - Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device - - - - - - - - - - - text/plain - - - - - NumberOfDaysAfterLostContactToUnenroll - - - - - - - - Number of days after last successful sync to unenroll - - - - - - - - - - - text/plain - - - - - AADSendDeviceToken - - - - - - - - Send the device Azure Active Directory token, if the user one can't be returned - - - - - - - - - - - text/plain - - - - - Push - - - - - - - - - - - - - - - - - - - - - PFN - - - - - - - - - - - - - - - - - text/plain - - - - - ChannelURI - - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - - Poll - - - - - - - - - - - - - - - - - - - - - IntervalForFirstSetOfRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfFirstRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - IntervalForSecondSetOfRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfSecondRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - IntervalForRemainingScheduledRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfRemainingScheduledRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - PollOnLogin - - - - - - - - - - - - - - - - - - text/plain - - - - - AllUsersPollOnFirstLogin - - - - - - - - - - - - - - - - - - text/plain - - - - - - CustomEnrollmentCompletePage - - - - - - - - - - - - - - - - - - - - - Title - - - - - - - - - - - - - - - - - - text/plain - - - - - BodyText - - - - - - - - - - - - - - - - - - text/plain - - - - - HyperlinkHref - - - - - - - - - - - - - - - - - - text/plain - - - - - HyperlinkText - - - - - - - - - - - - - - - - - - text/plain - - - - - - FirstSyncStatus - - - - - - - - - - - - - - - - - - - - - ExpectedPolicies - - - - - - - - This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). - - - - - - - - - - - text/plain - - - - - ExpectedNetworkProfiles - - - - - - - - This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". - - - - - - - - - - - text/plain - - - - - ExpectedMSIAppPackages - - - - - - - - This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. - - - - - - - - - - - text/plain - - - - - ExpectedModernAppPackages - - - - - - - - This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. - - - - - - - - - - - text/plain - - - - - ExpectedPFXCerts - - - - - - - - This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). - - - - - - - - - - - text/plain - - - - - ExpectedSCEPCerts - - - - - - - - This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). - - - - - - - - - - - text/plain - - - - - TimeOutUntilSyncFailure - - - - - - This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). - - - - - - - - - - - text/plain - - - - - ServerHasFinishedProvisioning - - - - - - This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. - - - - - - - - - - - text/plain - - - - - IsSyncDone - - - - - - This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - text/plain - - - - - WasDeviceSuccessfullyProvisioned - - - - - - Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - text/plain - - - - - BlockInStatusPage - - - - - - 0 - Device Only. This node determines whether or not the MDM progress page is blocking in the Azure Active Directory-joined or DJ++ case, as well as which remediation options are available. - - - - - - - - - - - - - - text/plain - - - - - AllowCollectLogsButton - - - - - - false - This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page. - - - - - - - - - - - - - - text/plain - - - - - CustomErrorText - - - - - - - - This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). - - - - - - - - - - - - - - text/plain - - - - - SkipDeviceStatusPage - - - - - - true - Device only. This node decides whether or not the MDM device progress page skips after Azure Active Directory-joined or Hybrid Azure AD-joined in OOBE. - - - - - - - - - - - - - - text/plain - - - - - SkipUserStatusPage - - - - - - false - Device only. This node decides wheter or not the MDM user progress page skips after Azure Active Directory-joined or DJ++ after user login. - - - - - - - - - - - - - - text/plain - - - - - - EnhancedAppLayerSecurity - - - - - - - - - - - - - - - - - - - SecurityMode - - - - - - - - This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. - - - - - - - - - - - text/plain - - - - - UseCertIfRevocationCheckOffline - - - - - - - - This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. - - - - - - - - - - - text/plain - - - - - Cert0 - - - - - - - - The node contains the primary certificate - the public key to use. - - - - - - - - - - - text/plain - - - - - Cert1 - - - - - - - - The node contains the secondary certificate - the public key to use. - - - - - - - - - - - text/plain - - - - - Unenroll @@ -1909,6 +919,7 @@ The XML below is for Windows 10, version 1803. + tag under the element.]]> @@ -1919,17 +930,19 @@ The XML below is for Windows 10, version 1803. - text/plain + - UpdateManagementServiceAddress + AADResourceID + + This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access. @@ -1940,8 +953,97 @@ The XML below is for Windows 10, version 1803. - text/plain + + + + + + + AADDeviceID + + + + + Device ID used for AAD device registration + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + EnrollmentType + + + + + Type of MDM enrollment (Device or Full). + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + EnableOmaDmKeepAliveMessage + + + + + + false + A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending. To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. + + + + + + + + + + + + + + 10.0.10586 + 1.1 + + + + false + Enable message + + + true + Disable message + + @@ -1950,6 +1052,7 @@ The XML below is for Windows 10, version 1803. + Returns the hardware device ID. @@ -1960,10 +1063,1968 @@ The XML below is for Windows 10, version 1803. - text/plain + + + 10.0.14393 + 1.2 + + + ManagementServerAddressList + + + + + + , and so on. If there is only one, the angle brackets (<>) are not required. The < and > should be escaped. If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list.]]> + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + CommercialID + + + + + + + + Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization. + + + + + + + + + + + + + + 10.0.14393 + 1.2 + + + + + + + ManagementServerToUpgradeTo + + + + + + + + Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device + + + + + + + + + + + + + + 10.0.15063 + 1.3 + + + + + + + NumberOfDaysAfterLostContactToUnenroll + + + + + + + + Number of days after last sucessful sync to unenroll + + + + + + + + + + + + + + 10.0.16299 + 1.4 + + + + + + + AADSendDeviceToken + + + + + + + + For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained. + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not send Device Token if User Token cannot be obtained. + + + true + Send Device Token if User Token cannot be obtained. + + + + + + ForceAadToken + + + + + + + + Force device to send device AAD token during checkin as a separate header. + + + + + + + + + + + + + + 10.0.22621, 10.0.22000.739, 10.0.19044.1766, 10.0.19043.1766, 10.0.19042.1766 + 1.6 + + + + 0 + ForceAadTokenNotDefined: the value is not defined(default) + + + 1 + AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during checkin as a separate header section(not as Bearer token). + + + 2 + Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer toekn). + + + 4 + SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token. + + + 8 + Reserved for future. ForceAadTokenMaxAllowed: max value allowed. + + + + + + Push + + + + + + + Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported. + + + + + + + + + + + + + + + PFN + + + + + + + + A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing. + + + + + + + + + + + + + + + + + + ChannelURI + + + + + A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null. + + + + + + + + + + + + + + + + Status + + + + + An integer that maps to a known error state or condition on the system. Valid values are: 0 - Success, 1 - Failure: invalid PFN, 2 - Failure: invalid or expired device authentication with MSA, 3 - Failure: WNS client registration failed due to an invalid or revoked PFN, 4 - Failure: no Channel URI assigned, 5 - Failure: Channel URI has expired, 6 - Failure: Channel URI failed to be revoked, 7 - Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations, 8 - Unknown error + + + + + + + + + + + + + + + + + Poll + + + + + + + Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration. If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window. + + + + + + + + + + + + + + + IntervalForFirstSetOfRetries + + + + + + + + /Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.]]> + + + + + + + + + + + + + + + + + + NumberOfFirstRetries + + + + + + + + The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10. The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule. + + + + + + + + + + + + + + + + + + IntervalForSecondSetOfRetries + + + + + + + + /Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled.]]> + + + + + + + + + + + + + + + + + + NumberOfSecondRetries + + + + + + + + The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule. + + + + + + + + + + + + + + + + + + IntervalForRemainingScheduledRetries + + + + + + + + /Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.]]> + + + + + + + + + + + + + + + + + + NumberOfRemainingScheduledRetries + + + + + + + + The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push. + + + + + + + + + + + + + + + + + + PollOnLogin + + + + + + + + false + Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + + + + + + + + + + + + + + + false + Polling is disabled on first login + + + true + Polling is enabled on first login. + + + + + + AllUsersPollOnFirstLogin + + + + + + + + false + Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + + + + + + + + + + + + + + + false + Polling is disabled on first login + + + true + Polling is enabled on first login. + + + + + + + CustomEnrollmentCompletePage + + + + + + + These nodes provision custom text for the enrollment page. + + + + + + + + + + + + + + 10.0.15063 + 1.3 + + + + Title + + + + + + + + Specifies the title of the all done page that appears at the end of the MDM enrollment flow. + + + + + + + + + + + + + + + + + + BodyText + + + + + + + + Specifies the body text of the all done page that appears at the end of the MDM enrollment flow. + + + + + + + + + + + + + + + + + + HyperlinkHref + + + + + + + + Specifies the URL that is shown at the end of the MDM enrollment flow. + + + + + + + + + + + + + + + + + + HyperlinkText + + + + + + + + Specifies the display text for the URL that is shown at the end of the MDM enrollment flow. + + + + + + + + + + + + + + + + + + + FirstSyncStatus + + + + + + + + + + + + + + + + + + + + 10.0.16299 + 1.4 + + + + ExpectedPolicies + + + + + + + + This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + + + + + + + + + ExpectedNetworkProfiles + + + + + + + + This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". + + + + + + + + + + + + + + + + + + + ExpectedMSIAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. + + + + + + + + + + + + + + + + + + + ExpectedModernAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. + + + + + + + + + + + + + + + + + + + ExpectedPFXCerts + + + + + + + + This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + + + + + + + + + ExpectedSCEPCerts + + + + + + + + This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + + + + + + + + + TimeOutUntilSyncFailure + + + + + + 60 + This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + + + + + + + + + + + + + + [1-1440] + + + + + ServerHasFinishedProvisioning + + + + + + This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists. + + + + + + + + + + + + + + + false + Server has not finished provisioning + + + true + Server has finished provisioning + + + + + + IsSyncDone + + + + + + This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + false + The device is not finished provisioning + + + true + The device has finished provisoining. + + + + + + WasDeviceSuccessfullyProvisioned + + + + + + Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + 0 + The device has failed to provision the device + + + 1 + The device has successfully provisioned the device. + + + 2 + Provisoining is in progress. + + + + + + BlockInStatusPage + + + + + + 0 + Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + 0x0 + Allow the user to exit the page before provisioning completes. + + + 0x1 + Block the user on the page and show the Reset PC button on failure. + + + 0x2 + Block the user on the page and show the Try Again button on failure. + + + 0x4 + Block the user on the page and show the Continue Anyway button on failure. + + + + + + AllowCollectLogsButton + + + + + + false + This node decides whether or not the MDM progress page displays the Collect Logs button. This node only applies to the device MDM status page. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not show the Collect Logs button on the progress page. + + + true + Show the Collect Logs button on the progress page. + + + + + + CustomErrorText + + + + + + + + This node allows the MDM to set custom error text, detailing what the user needs to do in case of error. This node only applies to the user MDM status page (on a per user basis). + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + + + + SkipDeviceStatusPage + + + + + + true + Device only. This node decides whether or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE + + + true + Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE + + + + + + SkipUserStatusPage + + + + + + true + Device only. This node decides whether or not the MDM user progress page skips after AADJ or DJ++ after user login. + + + + + + + + + + + + + + + + + 10.0.17134 + 1.5 + + + + false + Do not skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. + + + true + Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE + + + + + + + EnhancedAppLayerSecurity + + + + + + + + + + + + + + + + + + 10.0.16299 + 1.4 + + + + SecurityMode + + + + + + + + 0 + This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + + + + + + + + + + + + + + + 0 + no op + + + 1 + sign only + + + 2 + encrypt only + + + 3 + sign and encrypt + + + + + + UseCertIfRevocationCheckOffline + + + + + + + + false + This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. + + + + + + + + + + + + + + + false + False + + + true + True + + + + + + Cert0 + + + + + + + + The node contains the primary certificate - the public key to use. + + + + + + + + + + + + + + + + + + Cert1 + + + + + + + + The node contains the secondary certificate - the public key to use. + + + + + + + + + + + + + + + + + + + ConfigLock + + + + + + + + + + + + + + + + + + 10.0.22000 + 1.6 + + + + Lock + + + + + + + + 0 + This node specifies how the client will perform the lock mode for SecureCore PC. 0: unlock; 1: lock. The default value is 0. + + + + + + + + + + + + + + + 0 + Unlock + + + 1 + Lock + + + + + + UnlockDuration + + + + + + + + 480 + This node, when it is set, tells the client to set how many minutes the device should be temporarily unlocked from SecureCore settings protection. The default value is 480. + + + + + + + + + + + + + + + + + + SecureCore + + + + + The node returns the boolean value whether the device is a SecureCore PC. + + + + + + + + + + + + + + + + + LinkedEnrollment + + + + + The interior node for linked enrollment + + + + + + + + + + + + + + 10.0.22621, 10.0.22000.918, 10.0.19044.2193, 10.0.19043.2193, 10.0.19042.2193 + 1.6 + + + + Priority + + + + + + + + Optional. Allowed value is 0 or 1. 0 means the main enrollment has authority for mdm settings and resources, 1 means the linked enrollment has authority. + + + + + + + + + + + + + + + 0 + The main enrollment has priority over linked enrollment. + + + 1 + The linked enrollment has priority over the main enrollment. + + + + + + LastError + + + + + return the last error for enroll/unenroll. + + + + + + + + + + + + + + + + EnrollStatus + + + + + Returns the current enrollment or un-enrollment status of the linked enrollment. + + + + + + + + + + + + + + + 0 + Undefined + + + 1 + Enrollment Not started. + + + 2 + Enrollment In Progress. + + + 3 + Enrollment Failed. + + + 4 + Enrollment Succeeded. + + + 5 + Unenrollment Not started. + + + 6 + UnEnrollment In Progress. + + + 7 + UnEnrollment Failed. + + + 8 + UnEnrollment Succeeded. + + + + + + Enroll + + + + + Trigger to enroll for the Linked Enrollment + + + + + + + + + + + + + + + + Unenroll + + + + + Trigger Unenroll for the Linked Enrollment + + + + + + + + + + + + + + + + + MultipleSession + + + + + + + + + + + + + + + + + + 10.0.22000 + 1.6 + 0xAF + + + + NumAllowedConcurrentUserSessionForBackgroundSync + + + + + + + + Optional. Maximum number of concurrent user sync sessions in background. Default value is 25. 0 none, 1 sequential, anything else: parallel. + + + + + + + + + + + + + + + + + + NumAllowedConcurrentUserSessionAtUserLogonSync + + + + + + + + Optional. Maximum number of concurrent user sync sessions at User Login. Default value is 25. 0 none, 1 sequential, anything else: parallel. + + + + + + + + + + + + + + + + + + IntervalForScheduledRetriesForUserSession + + + + + + + + + + + + + + + + + + + + + + + + + + NumberOfScheduledRetriesForUserSession + + + + + + + + The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is 0 and IntervalForScheduledRetriesForUserSession is not 0, then the schedule will be set to repeat for an infinite number of times. + + + + + + + + + + + + + + + + + + + Recovery + + + + + Parent node for Recovery nodes + + + + + + + + + + + + + + 10.0.22621, 10.0.22000.1165 + 1.6 + + + + AllowRecovery + + + + + + 0 + This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate + + + + + + + + + + + + + + + 1 + MDM Recovery is allowed. + + + 0 + MDM Recovery is not allowed. + + + LastWrite + + + + InitiateRecovery + + + + + 0 + This node initiates a recovery action. The server can specify prerequisites before the action is taken. + + + + + + + + + + + + + + + 0 + Initiate MDM Recovery + + + 1 + Initiate Recovery if Keys are not already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation. + + + + + + RecoveryStatus + + + + + 0 + This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM is not available. 4 - Recovery has failed to start because AAD keys are not protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM is not ready for attestation. 7 - Recovery has failed because the client cannot authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request. + + + + + + + + + + + + + + + + + + Unenroll + + + + + + > tag under the element. Scope is permanent.]]> + + + + + + + + + + + + + + + + UpdateManagementServiceAddress + + + + + + For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. + + + + + + + + + + + + + + + + + + + HWDevID + + + + + Returns the hardware device ID. + + + + + + + + + + + + + + 10.0.16299 + 1.3 + + + + ``` + +## Related articles + +[DMClient configuration service provider reference](dmclient-csp.md)