From efcfad21417b4f956a6abca7d5a625767c1d1692 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 9 Sep 2022 15:00:10 -0400
Subject: [PATCH] Add CertAttestation/MDMClientCertAttestation
---
.../client-management/mdm/devicestatus-csp.md | 107 +-
.../client-management/mdm/devicestatus-ddf.md | 1566 +++++++++--------
2 files changed, 861 insertions(+), 812 deletions(-)
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index c900b41939..72be68417e 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -1,7 +1,7 @@
---
title: DeviceStatus CSP
description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -71,12 +71,14 @@ DeviceStatus
--------VirtualizationBasedSecurityHwReq
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
+----CertAttestation
+--------MDMClientCertAttestation
```
-**DeviceStatus**
+**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
-**DeviceStatus/SecureBootState**
+**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following values:
- 0 - Not supported
@@ -85,67 +87,67 @@ Indicates whether secure boot is enabled. The value is one of the following valu
Supported operation is Get.
-**DeviceStatus/CellularIdentities**
+**DeviceStatus/CellularIdentities**
Required. Node for queries on the SIM cards.
>[!NOTE]
>Multiple SIMs are supported.
-**DeviceStatus/CellularIdentities/***IMEI*
+**DeviceStatus/CellularIdentities/***IMEI*
The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
-**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
+**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
+**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
+**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
Phone number associated with the specific IMEI number.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
+**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
The mobile service provider or mobile operator associated with the specific IMEI number.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
+**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
Indicates whether the SIM card associated with the specific IMEI number is roaming.
Supported operation is Get.
-**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
+**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
Boolean value that indicates compliance with the enforced enterprise roaming policy.
Supported operation is Get.
-**DeviceStatus/NetworkIdentifiers**
+**DeviceStatus/NetworkIdentifiers**
Node for queries on network and device properties.
-**DeviceStatus/NetworkIdentifiers/***MacAddress*
+**DeviceStatus/NetworkIdentifiers/***MacAddress*
MAC address of the wireless network card. A MAC address is present for each network card on the device.
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
+**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
IPv4 address of the network card associated with the MAC address.
Supported operation is Get.
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
+**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
IPv6 address of the network card associated with the MAC address.
Supported operation is Get.
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
+**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
Supported operation is Get.
-**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
+**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following values:
- 2 - WLAN (or other Wireless interface)
@@ -154,10 +156,10 @@ Type of network connection. The value is one of the following values:
Supported operation is Get.
-**DeviceStatus/Compliance**
+**DeviceStatus/Compliance**
Node for the compliance query.
-**DeviceStatus/Compliance/EncryptionCompliance**
+**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
- 0 - Not encrypted
@@ -165,42 +167,42 @@ Boolean value that indicates compliance with the enterprise encryption policy fo
Supported operation is Get.
-**DeviceStatus/TPM**
+**DeviceStatus/TPM**
Added in Windows, version 1607. Node for the TPM query.
Supported operation is Get.
-**DeviceStatus/TPM/SpecificationVersion**
+**DeviceStatus/TPM/SpecificationVersion**
Added in Windows, version 1607. String that specifies the specification version.
Supported operation is Get.
-**DeviceStatus/OS**
+**DeviceStatus/OS**
Added in Windows, version 1607. Node for the OS query.
Supported operation is Get.
-**DeviceStatus/OS/Edition**
+**DeviceStatus/OS/Edition**
Added in Windows, version 1607. String that specifies the OS edition.
Supported operation is Get.
-**DeviceStatus/OS/Mode**
+**DeviceStatus/OS/Mode**
Added in Windows, version 1803. Read only node that specifies the device mode.
-Valid values:
+Valid values:
- 0 - The device is in standard configuration.
- 1 - The device is in S mode configuration.
Supported operation is Get.
-**DeviceStatus/Antivirus**
+**DeviceStatus/Antivirus**
Added in Windows, version 1607. Node for the antivirus query.
Supported operation is Get.
-**DeviceStatus/Antivirus/SignatureStatus**
+**DeviceStatus/Antivirus/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
Valid values:
@@ -218,7 +220,7 @@ If more than one antivirus provider is active, this node returns:
This node also returns 0 when no antivirus provider is active.
-**DeviceStatus/Antivirus/Status**
+**DeviceStatus/Antivirus/Status**
Added in Windows, version 1607. Integer that specifies the status of the antivirus.
Valid values:
@@ -231,12 +233,12 @@ Valid values:
Supported operation is Get.
-**DeviceStatus/Antispyware**
+**DeviceStatus/Antispyware**
Added in Windows, version 1607. Node for the anti-spyware query.
Supported operation is Get.
-**DeviceStatus/Antispyware/SignatureStatus**
+**DeviceStatus/Antispyware/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
Valid values:
@@ -254,7 +256,7 @@ If more than one anti-spyware provider is active, this node returns:
This node also returns 0 when no anti-spyware provider is active.
-**DeviceStatus/Antispyware/Status**
+**DeviceStatus/Antispyware/Status**
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
Valid values:
@@ -266,12 +268,12 @@ Valid values:
Supported operation is Get.
-**DeviceStatus/Firewall**
+**DeviceStatus/Firewall**
Added in Windows, version 1607. Node for the firewall query.
Supported operation is Get.
-**DeviceStatus/Firewall/Status**
+**DeviceStatus/Firewall/Status**
Added in Windows, version 1607. Integer that specifies the status of the firewall.
Valid values:
@@ -284,75 +286,75 @@ Valid values:
Supported operation is Get.
-**DeviceStatus/UAC**
+**DeviceStatus/UAC**
Added in Windows, version 1607. Node for the UAC query.
Supported operation is Get.
-**DeviceStatus/UAC/Status**
+**DeviceStatus/UAC/Status**
Added in Windows, version 1607. Integer that specifies the status of the UAC.
Supported operation is Get.
-**DeviceStatus/Battery**
+**DeviceStatus/Battery**
Added in Windows, version 1607. Node for the battery query.
Supported operation is Get.
-**DeviceStatus/Battery/Status**
+**DeviceStatus/Battery/Status**
Added in Windows, version 1607. Integer that specifies the status of the battery
Supported operation is Get.
-**DeviceStatus/Battery/EstimatedChargeRemaining**
+**DeviceStatus/Battery/EstimatedChargeRemaining**
Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
-**DeviceStatus/Battery/EstimatedRuntime**
+**DeviceStatus/Battery/EstimatedRuntime**
Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
-**DeviceStatus/DomainName**
+**DeviceStatus/DomainName**
Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string.
Supported operation is Get.
-**DeviceStatus/DeviceGuard**
+**DeviceStatus/DeviceGuard**
Added in Windows, version 1709. Node for Device Guard query.
Supported operation is Get.
-**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
+**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
- 0x0: System meets hardware configuration requirements
-- 0x1: SecureBoot required
+- 0x1: SecureBoot required
- 0x2: DMA Protection required
- 0x4: HyperV not supported for Guest VM
- 0x8: HyperV feature isn't available
Supported operation is Get.
-**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
+**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
- 0 - Running
-- 1 - Reboot required
-- 2 - 64-bit architecture required
-- 3 - Not licensed
-- 4 - Not configured
-- 5 - System doesn't meet hardware requirements
+- 1 - Reboot required
+- 2 - 64-bit architecture required
+- 3 - Not licensed
+- 4 - Not configured
+- 5 - System doesn't meet hardware requirements
- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
Supported operation is Get.
-**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
+**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
- 0 - Running
@@ -363,6 +365,11 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
Supported operation is Get.
+**DeviceStatus/CertAttestation/MDMClientCertAttestation**
+Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields.
+
+Supported operation is Get.
+
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index 9019f6a5b9..f081bf1262 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -1,7 +1,7 @@
---
title: DeviceStatus DDF
description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -25,862 +25,904 @@ The XML below is for Windows 10, version 1803.
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[]>
- 1.2
-
+ 1.2
+
DeviceStatus
./Vendor/MSFT
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.4/MDM/DeviceStatus
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.4/MDM/DeviceStatus
+
- SecureBootState
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CellularIdentities
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ SecureBootState
-
-
-
-
-
-
-
-
-
-
-
-
- IMEI
-
-
-
-
-
- IMSI
-
-
+
-
+
-
+
-
+
- text/plain
+ text/plain
-
-
-
- ICCID
-
+
+
+
+ CellularIdentities
+
-
+
-
+
-
+
-
+
- text/plain
+
-
-
-
- PhoneNumber
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CommercializationOperator
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoamingStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RoamingCompliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- NetworkIdentifiers
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MacAddress
-
-
-
- IPAddressV4
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IMEI
+
+
+
+
+
+ IMSI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ICCID
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PhoneNumber
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CommercializationOperator
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RoamingStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RoamingCompliance
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+ NetworkIdentifiers
+
-
+
-
+
-
+
-
+
- text/plain
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MacAddress
+
+
+
+
+
+ IPAddressV4
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPAddressV6
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsConnected
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Type
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+ Compliance
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EncryptionCompliance
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TPM
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SpecificationVersion
+
+
+
+
+ Not available
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ OS
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Edition
+
+
+
+
+ Not available
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- IPAddressV6
-
+ Mode
+
+
+
+
+ Not available
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Antivirus
+
-
+
-
+
-
+
-
+
- text/plain
+
-
+
+
+ SignatureStatus
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- IsConnected
-
+ Status
+
+
+
+
+ 3
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Antispyware
+
-
+
-
+
-
+
-
+
- text/plain
+
-
+
+
+ SignatureStatus
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
- Type
-
+ Status
+
+
+
+
+ 3
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Firewall
+
-
+
-
+
-
+
-
+
- text/plain
+
-
+
+
+ Status
+
+
+
+
+ 3
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
-
- Compliance
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncryptionCompliance
+ UAC
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+ Status
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
- TPM
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SpecificationVersion
+ Battery
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+ Status
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EstimatedChargeRemaining
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EstimatedRuntime
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
- OS
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Edition
+ DomainName
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+ Returns the fully qualified domain name of the device(if any).
+
+
+
+
+
+
+
+
+
+ DomainName
+
+ text/plain
+
-
-
- Mode
-
-
-
-
- Not available
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
- Antivirus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SignatureStatus
+ DeviceGuard
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+ VirtualizationBasedSecurityHwReq
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ VirtualizationBasedSecurityStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LsaCfgCredGuardStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
- Antispyware
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SignatureStatus
+ CertAttestation
-
-
-
- 1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
+
+
+
+ Node for Certificate Attestation
+
+
+
+
+
+
+
+
+
+
+
+
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
+
+ MDMClientCertAttestation
+
+
+
+
+ MDM Certificate attestation information. This will return an XML blob containing the relevent attestation fields.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- Firewall
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
- 3
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- UAC
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- Battery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Status
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EstimatedChargeRemaining
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EstimatedRuntime
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DomainName
-
-
-
-
- Returns the fully qualified domain name of the device(if any).
-
-
-
-
-
-
-
-
-
- DomainName
-
- text/plain
-
-
-
-
- DeviceGuard
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- VirtualizationBasedSecurityHwReq
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- VirtualizationBasedSecurityStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LsaCfgCredGuardStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+
```