From efcfad21417b4f956a6abca7d5a625767c1d1692 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:00:10 -0400 Subject: [PATCH] Add CertAttestation/MDMClientCertAttestation --- .../client-management/mdm/devicestatus-csp.md | 107 +- .../client-management/mdm/devicestatus-ddf.md | 1566 +++++++++-------- 2 files changed, 861 insertions(+), 812 deletions(-) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index c900b41939..72be68417e 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -1,7 +1,7 @@ --- title: DeviceStatus CSP description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -71,12 +71,14 @@ DeviceStatus --------VirtualizationBasedSecurityHwReq --------VirtualizationBasedSecurityStatus --------LsaCfgCredGuardStatus +----CertAttestation +--------MDMClientCertAttestation ``` -**DeviceStatus** +**DeviceStatus** The root node for the DeviceStatus configuration service provider. -**DeviceStatus/SecureBootState** +**DeviceStatus/SecureBootState** Indicates whether secure boot is enabled. The value is one of the following values: - 0 - Not supported @@ -85,67 +87,67 @@ Indicates whether secure boot is enabled. The value is one of the following valu Supported operation is Get. -**DeviceStatus/CellularIdentities** +**DeviceStatus/CellularIdentities** Required. Node for queries on the SIM cards. >[!NOTE] >Multiple SIMs are supported. -**DeviceStatus/CellularIdentities/***IMEI* +**DeviceStatus/CellularIdentities/***IMEI* The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. -**DeviceStatus/CellularIdentities/*IMEI*/IMSI** +**DeviceStatus/CellularIdentities/*IMEI*/IMSI** The International Mobile Subscriber Identity (IMSI) associated with the IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/ICCID** +**DeviceStatus/CellularIdentities/*IMEI*/ICCID** The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber** +**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber** Phone number associated with the specific IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator** +**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator** The mobile service provider or mobile operator associated with the specific IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus** +**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus** Indicates whether the SIM card associated with the specific IMEI number is roaming. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance** +**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance** Boolean value that indicates compliance with the enforced enterprise roaming policy. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers** +**DeviceStatus/NetworkIdentifiers** Node for queries on network and device properties. -**DeviceStatus/NetworkIdentifiers/***MacAddress* +**DeviceStatus/NetworkIdentifiers/***MacAddress* MAC address of the wireless network card. A MAC address is present for each network card on the device. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4** IPv4 address of the network card associated with the MAC address. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6** IPv6 address of the network card associated with the MAC address. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected** Boolean value that indicates whether the network card associated with the MAC address has an active network connection. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type** Type of network connection. The value is one of the following values: - 2 - WLAN (or other Wireless interface) @@ -154,10 +156,10 @@ Type of network connection. The value is one of the following values: Supported operation is Get. -**DeviceStatus/Compliance** +**DeviceStatus/Compliance** Node for the compliance query. -**DeviceStatus/Compliance/EncryptionCompliance** +**DeviceStatus/Compliance/EncryptionCompliance** Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values: - 0 - Not encrypted @@ -165,42 +167,42 @@ Boolean value that indicates compliance with the enterprise encryption policy fo Supported operation is Get. -**DeviceStatus/TPM** +**DeviceStatus/TPM** Added in Windows, version 1607. Node for the TPM query. Supported operation is Get. -**DeviceStatus/TPM/SpecificationVersion** +**DeviceStatus/TPM/SpecificationVersion** Added in Windows, version 1607. String that specifies the specification version. Supported operation is Get. -**DeviceStatus/OS** +**DeviceStatus/OS** Added in Windows, version 1607. Node for the OS query. Supported operation is Get. -**DeviceStatus/OS/Edition** +**DeviceStatus/OS/Edition** Added in Windows, version 1607. String that specifies the OS edition. Supported operation is Get. -**DeviceStatus/OS/Mode** +**DeviceStatus/OS/Mode** Added in Windows, version 1803. Read only node that specifies the device mode. -Valid values: +Valid values: - 0 - The device is in standard configuration. - 1 - The device is in S mode configuration. Supported operation is Get. -**DeviceStatus/Antivirus** +**DeviceStatus/Antivirus** Added in Windows, version 1607. Node for the antivirus query. Supported operation is Get. -**DeviceStatus/Antivirus/SignatureStatus** +**DeviceStatus/Antivirus/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the antivirus signature. Valid values: @@ -218,7 +220,7 @@ If more than one antivirus provider is active, this node returns: This node also returns 0 when no antivirus provider is active. -**DeviceStatus/Antivirus/Status** +**DeviceStatus/Antivirus/Status** Added in Windows, version 1607. Integer that specifies the status of the antivirus. Valid values: @@ -231,12 +233,12 @@ Valid values: Supported operation is Get. -**DeviceStatus/Antispyware** +**DeviceStatus/Antispyware** Added in Windows, version 1607. Node for the anti-spyware query. Supported operation is Get. -**DeviceStatus/Antispyware/SignatureStatus** +**DeviceStatus/Antispyware/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature. Valid values: @@ -254,7 +256,7 @@ If more than one anti-spyware provider is active, this node returns: This node also returns 0 when no anti-spyware provider is active. -**DeviceStatus/Antispyware/Status** +**DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the anti-spyware. Valid values: @@ -266,12 +268,12 @@ Valid values: Supported operation is Get. -**DeviceStatus/Firewall** +**DeviceStatus/Firewall** Added in Windows, version 1607. Node for the firewall query. Supported operation is Get. -**DeviceStatus/Firewall/Status** +**DeviceStatus/Firewall/Status** Added in Windows, version 1607. Integer that specifies the status of the firewall. Valid values: @@ -284,75 +286,75 @@ Valid values: Supported operation is Get. -**DeviceStatus/UAC** +**DeviceStatus/UAC** Added in Windows, version 1607. Node for the UAC query. Supported operation is Get. -**DeviceStatus/UAC/Status** +**DeviceStatus/UAC/Status** Added in Windows, version 1607. Integer that specifies the status of the UAC. Supported operation is Get. -**DeviceStatus/Battery** +**DeviceStatus/Battery** Added in Windows, version 1607. Node for the battery query. Supported operation is Get. -**DeviceStatus/Battery/Status** +**DeviceStatus/Battery/Status** Added in Windows, version 1607. Integer that specifies the status of the battery Supported operation is Get. -**DeviceStatus/Battery/EstimatedChargeRemaining** +**DeviceStatus/Battery/EstimatedChargeRemaining** Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. Supported operation is Get. -**DeviceStatus/Battery/EstimatedRuntime** +**DeviceStatus/Battery/EstimatedRuntime** Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. Supported operation is Get. -**DeviceStatus/DomainName** +**DeviceStatus/DomainName** Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string. Supported operation is Get. -**DeviceStatus/DeviceGuard** +**DeviceStatus/DeviceGuard** Added in Windows, version 1709. Node for Device Guard query. Supported operation is Get. -**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq** +**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq** Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask. - 0x0: System meets hardware configuration requirements -- 0x1: SecureBoot required +- 0x1: SecureBoot required - 0x2: DMA Protection required - 0x4: HyperV not supported for Guest VM - 0x8: HyperV feature isn't available Supported operation is Get. -**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** +**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** Added in Windows, version 1709. Virtualization-based security status. Value is one of the following: - 0 - Running -- 1 - Reboot required -- 2 - 64-bit architecture required -- 3 - Not licensed -- 4 - Not configured -- 5 - System doesn't meet hardware requirements +- 1 - Reboot required +- 2 - 64-bit architecture required +- 3 - Not licensed +- 4 - Not configured +- 5 - System doesn't meet hardware requirements - 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details. Supported operation is Get. -**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus** +**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus** Added in Windows, version 1709. Local System Authority (LSA) credential guard status. - 0 - Running @@ -363,6 +365,11 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s Supported operation is Get. +**DeviceStatus/CertAttestation/MDMClientCertAttestation** +Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields. + +Supported operation is Get. + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 9019f6a5b9..f081bf1262 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -1,7 +1,7 @@ --- title: DeviceStatus DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -25,862 +25,904 @@ The XML below is for Windows 10, version 1803. "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd" []> - 1.2 - + 1.2 + DeviceStatus ./Vendor/MSFT - - - - - - - - - - - - - - com.microsoft/1.4/MDM/DeviceStatus - + + + + + + + + + + + + + + com.microsoft/1.4/MDM/DeviceStatus + - SecureBootState - - - - - - - - - - - - - - - text/plain - - - - - CellularIdentities - - - - - - - - - - - - - - - - - - - + SecureBootState - - - - - - - - - - - - - IMEI - - - - - - IMSI - - + - + - + - + - text/plain + text/plain - - - - ICCID - + + + + CellularIdentities + - + - + - + - + - text/plain + - - - - PhoneNumber - - - - - - - - - - - - - - - text/plain - - - - - CommercializationOperator - - - - - - - - - - - - - - - text/plain - - - - - RoamingStatus - - - - - - - - - - - - - - - text/plain - - - - - RoamingCompliance - - - - - - - - - - - - - - - text/plain - - - - - - - NetworkIdentifiers - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - MacAddress - - - - IPAddressV4 - + + + + + + + + + + + + + + + IMEI + + + + + + IMSI + + + + + + + + + + + + + + + text/plain + + + + + ICCID + + + + + + + + + + + + + + + text/plain + + + + + PhoneNumber + + + + + + + + + + + + + + + text/plain + + + + + CommercializationOperator + + + + + + + + + + + + + + + text/plain + + + + + RoamingStatus + + + + + + + + + + + + + + + text/plain + + + + + RoamingCompliance + + + + + + + + + + + + + + + text/plain + + + + + + + NetworkIdentifiers + - + - + - + - + - text/plain + - + + + + + + + + + + + + + + + + + MacAddress + + + + + + IPAddressV4 + + + + + + + + + + + + + + + text/plain + + + + + IPAddressV6 + + + + + + + + + + + + + + + text/plain + + + + + IsConnected + + + + + + + + + + + + + + + text/plain + + + + + Type + + + + + + + + + + + + + + + text/plain + + + + + + + Compliance + + + + + + + + + + + + + + + + + + + EncryptionCompliance + + + + + + + + + + + + + + + text/plain + + + + + + TPM + + + + + + + + + + + + + + + + + + + SpecificationVersion + + + + + Not available + + + + + + + + + + + text/plain + + + + + + OS + + + + + + + + + + + + + + + + + + + Edition + + + + + Not available + + + + + + + + + + + text/plain + + - IPAddressV6 - + Mode + + + + + Not available + + + + + + + + + + + text/plain + + + + + + Antivirus + - + - + - + - + - text/plain + - + + + SignatureStatus + + + + + 1 + + + + + + + + + + + text/plain + + - IsConnected - + Status + + + + + 3 + + + + + + + + + + + text/plain + + + + + + Antispyware + - + - + - + - + - text/plain + - + + + SignatureStatus + + + + + 1 + + + + + + + + + + + text/plain + + - Type - + Status + + + + + 3 + + + + + + + + + + + text/plain + + + + + + Firewall + - + - + - + - + - text/plain + - + + + Status + + + + + 3 + + + + + + + + + + + text/plain + + - - Compliance - - - - - - - - - - - - - - - - - - - EncryptionCompliance + UAC - - - - - - - - - - - - - - text/plain - + + + + + + + + + + + + + + + - + + Status + + + + + + + + + + + + + + + text/plain + + + - TPM - - - - - - - - - - - - - - - - - - - SpecificationVersion + Battery - - - - Not available - - - - - - - - - - - text/plain - + + + + + + + + + + + + + + + - + + Status + + + + + 0 + + + + + + + + + + + text/plain + + + + + EstimatedChargeRemaining + + + + + 0 + + + + + + + + + + + text/plain + + + + + EstimatedRuntime + + + + + 0 + + + + + + + + + + + text/plain + + + - OS - - - - - - - - - - - - - - - - - - - Edition + DomainName - - - - Not available - - - - - - - - - - - text/plain - + + + + Returns the fully qualified domain name of the device(if any). + + + + + + + + + + DomainName + + text/plain + - - - Mode - - - - - Not available - - - - - - - - - - - text/plain - - - - Antivirus - - - - - - - - - - - - - - - - - - - SignatureStatus + DeviceGuard - - - - 1 - - - - - - - - - - - text/plain - + + + + + + + + + + + + + + + - - - Status - - - - - 3 - - - - - - - - - - - text/plain - - - + + VirtualizationBasedSecurityHwReq + + + + + + + + + + + + + + + text/plain + + + + + VirtualizationBasedSecurityStatus + + + + + + + + + + + + + + + text/plain + + + + + LsaCfgCredGuardStatus + + + + + + + + + + + + + + + text/plain + + + - Antispyware - - - - - - - - - - - - - - - - - - - SignatureStatus + CertAttestation - - - - 1 - - - - - - - - - - - text/plain - + + + + Node for Certificate Attestation + + + + + + + + + + + + - - - Status - - - - - 3 - - - - - - - - - - - text/plain - - - + + MDMClientCertAttestation + + + + + MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields. + + + + + + + + + + + + + + - - Firewall - - - - - - - - - - - - - - - - - - - Status - - - - - 3 - - - - - - - - - - - text/plain - - - - - - UAC - - - - - - - - - - - - - - - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - - Battery - - - - - - - - - - - - - - - - - - - Status - - - - - 0 - - - - - - - - - - - text/plain - - - - - EstimatedChargeRemaining - - - - - 0 - - - - - - - - - - - text/plain - - - - - EstimatedRuntime - - - - - 0 - - - - - - - - - - - text/plain - - - - - - DomainName - - - - - Returns the fully qualified domain name of the device(if any). - - - - - - - - - - DomainName - - text/plain - - - - - DeviceGuard - - - - - - - - - - - - - - - - - - - VirtualizationBasedSecurityHwReq - - - - - - - - - - - - - - - text/plain - - - - - VirtualizationBasedSecurityStatus - - - - - - - - - - - - - - - text/plain - - - - - LsaCfgCredGuardStatus - - - - - - - - - - - - - - - text/plain - - - - - + ```