+
Application ID |
-The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app. |
+Application ID |
+The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app. |
Publisher |
-A string that identifies the publisher of the app. |
+Publisher |
+A string that identifies the publisher of the app. |
Application URL |
-A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment. |
+Application URL |
+A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment. |
Description |
-A brief description of your MDM app, which must be under 255 characters. |
+Description |
+A brief description of your MDM app, which must be under 255 characters. |
Icons |
-A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215 |
+Icons |
+A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215 |
Post OOBE
redirect_uri
After the user accepts or rejects the Terms of Use, the user is redirected to this URL.
redirect_uri
After the user accepts or rejects the Terms of Use, the user is redirected to this URL.
client-request-id
A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.
client-request-id
A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.
api-version
Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.
api-version
Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.
mode
Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.
mode
Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.
Object ID
Identifier of the user object corresponding to the authenticated user.
Object ID
Identifier of the user object corresponding to the authenticated user.
UPN
A claim containing the user principal name (UPN) of the authenticated user.
UPN
A claim containing the user principal name (UPN) of the authenticated user.
TID
A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.
TID
A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.
Resource
A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com.
Resource
A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com.
api-version
302
invalid_request
unsupported version
api-version
302
invalid_request
unsupported version
Tenant or user data are missing or other required prerequisites for device enrollment are not met
302
unauthorized_client
unauthorized user or tenant
Tenant or user data are missing or other required prerequisites for device enrollment are not met
302
unauthorized_client
unauthorized user or tenant
Azure AD token validation failed
302
unauthorized_client
unauthorized_client
Azure AD token validation failed
302
unauthorized_client
unauthorized_client
internal service error
302
server_error
internal service error
internal service error
302
server_error
internal service error
MDM auto-discovery using email address to retrieve MDM discovery URL
Enrollment
Not applicable
+MDM auto-discovery using email address to retrieve MDM discovery URL
Enrollment
Not applicable
Discovery URL provisioned in Azure
Uses MDM discovery URL
Enrollment
+Uses MDM discovery URL
Enrollment
Enrollment renewal
ROBO
Enrollment
+Enrollment
Enrollment renewal
ROBO
Enrollment
+Enrollment
Enrollment renewal
ROBO
Is MDM enrollment required?
Yes
Yes
No
+Is MDM enrollment required?
Yes
Yes
No
User can decline.
Authentication type
OnPremise
+Authentication type
OnPremise
Federated
Certificate
Federated
Federated
Federated
Federated
EnrollmentPolicyServiceURL
Optional (all auth)
Optional (all auth)
+EnrollmentPolicyServiceURL
Optional (all auth)
Optional (all auth)
Optional (all auth)
+Optional (all auth)
EnrollmentServiceURL
Required (all auth)
Used (all auth)
Used (all auth)
EnrollmentServiceURL
Required (all auth)
Used (all auth)
Used (all auth)
EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL
Highly recommended
Highly recommended
Highly recommended
EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL
Highly recommended
Highly recommended
Highly recommended
AuthenticationServiceURL used
Used (Federated auth)
Skipped
Skipped
AuthenticationServiceURL used
Used (Federated auth)
Skipped
Skipped
BinarySecurityToken
Custom per MDM
Azure AD issued token
Azure AD issued token
BinarySecurityToken
Custom per MDM
Azure AD issued token
Azure AD issued token
EnrollmentType
Full
Device
Full
EnrollmentType
Full
Device
Full
Enrolled certificate type
User certificate
Device certificate
User certificate
Enrolled certificate type
User certificate
Device certificate
User certificate
Enrolled certificate store
My/User
My/System
My/User
Enrolled certificate store
My/User
My/System
My/User
CSR subject name
User Principal Name
Device ID
User Principal Name
CSR subject name
User Principal Name
Device ID
User Principal Name
EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL
Not supported
Supported
Supported
EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL
Not supported
Supported
Supported
CSPs accessible during enrollment
Windows 10 support:
+CSPs accessible during enrollment
Windows 10 support:
same as traditional MDM enrollment
same as traditional MDM enrollment
same as traditional MDM enrollment
same as traditional MDM enrollment
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.
This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.
Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.
This device is already enrolled. You can contact your system administrator with the error code {0}.
This device is already enrolled. You can contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.
Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.
This feature is not supported. Contact your system administrator with the error code {0}.
This feature is not supported. Contact your system administrator with the error code {0}.
This feature is not supported. Contact your system administrator with the error code {0}.
This feature is not supported. Contact your system administrator with the error code {0}.
The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.
The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.
The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.
The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.
There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.
There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.
Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.
Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.
Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.
Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.
This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.
Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.
A reboot is required to complete device registration.
A reboot is required to complete device registration.
Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.
Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
Optional. Integer. Specifies the default roaming value. Valid values are:
+Optional. Integer. Specifies the default roaming value. Valid values are:
-| BitLocker CSP | -Added support for Windows 10 Pro starting in the version 1809. + | BitLocker CSP | +Added support for Windows 10 Pro starting in the version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Office CSP | -Added FinalStatus setting in Windows 10, version 1809. + | Office CSP | +Added FinalStatus setting in Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| RemoteWipe CSP | -Added new settings in Windows 10, version 1809. + | RemoteWipe CSP | +Added new settings in Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| TenantLockdown CSP | -Added new CSP in Windows 10, version 1809. + | TenantLockdown CSP | +Added new CSP in Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| WindowsDefenderApplicationGuard CSP | -Added new settings in Windows 10, version 1809. + | WindowsDefenderApplicationGuard CSP | +Added new settings in Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Policy DDF file | -Posted an updated version of the Policy DDF for Windows 10, version 1809. + | Policy DDF file | +Posted an updated version of the Policy DDF for Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Policy CSP | -Added the following new policies in Windows 10, version 1809: + | Policy CSP | +Added the following new policies in Windows 10, version 1809:
AssignedAccess CSP |
-Added the following note: +AssignedAccess CSP |
+Added the following note: PassportForWork CSP |
-Added new settings in Windows 10, version 1809. +PassportForWork CSP |
+Added new settings in Windows 10, version 1809. EnterpriseModernAppManagement CSP |
-Added NonRemovable setting under AppManagement node in Windows 10, version 1809. +EnterpriseModernAppManagement CSP |
+Added NonRemovable setting under AppManagement node in Windows 10, version 1809. Win32CompatibilityAppraiser CSP |
-Added new configuration service provider in Windows 10, version 1809. +Win32CompatibilityAppraiser CSP |
+Added new configuration service provider in Windows 10, version 1809. WindowsLicensing CSP |
-Added S mode settings and SyncML examples in Windows 10, version 1809. +WindowsLicensing CSP |
+Added S mode settings and SyncML examples in Windows 10, version 1809. SUPL CSP |
-Added 3 new certificate nodes in Windows 10, version 1809. +SUPL CSP |
+Added 3 new certificate nodes in Windows 10, version 1809. Defender CSP |
-Added a new node Health/ProductStatus in Windows 10, version 1809. +Defender CSP |
+Added a new node Health/ProductStatus in Windows 10, version 1809. BitLocker CSP |
-Added a new node AllowStandardUserEncryption in Windows 10, version 1809. +BitLocker CSP |
+Added a new node AllowStandardUserEncryption in Windows 10, version 1809. DevDetail CSP |
-Added a new node SMBIOSSerialNumber in Windows 10, version 1809. +DevDetail CSP |
+Added a new node SMBIOSSerialNumber in Windows 10, version 1809. Policy CSP |
-Added the following new policies in Windows 10, version 1809: +Policy CSP |
+Added the following new policies in Windows 10, version 1809: Wifi CSP |
-Added a new node WifiCost in Windows 10, version 1809. +Wifi CSP |
+Added a new node WifiCost in Windows 10, version 1809. Diagnose MDM failures in Windows 10 |
-Recent changes: +Diagnose MDM failures in Windows 10 |
+Recent changes: BitLocker CSP |
-Added new node AllowStandardUserEncryption in Windows 10, version 1809. +BitLocker CSP |
+Added new node AllowStandardUserEncryption in Windows 10, version 1809. Policy CSP |
-Recent changes: +Policy CSP |
+Recent changes: WiredNetwork CSP |
-New CSP added in Windows 10, version 1809.
+ | WiredNetwork CSP |
+New CSP added in Windows 10, version 1809.
| |
Updated the DDF files in the Windows 10 version 1703 and 1709.
+Updated the DDF files in the Windows 10 version 1703 and 1709.
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added a new CSP in Windows 10, version 1803.
+Added a new CSP in Windows 10, version 1803.
Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.
+Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.
Added the DDF download of Windows 10, version 1803 configuration service providers.
+Added the DDF download of Windows 10, version 1803 configuration service providers.
Added the following new policies for Windows 10, version 1803:
+Added the following new policies for Windows 10, version 1803:
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following videos:
+Added the following videos:
Added a new CSP in Windows 10, version 1803.
+Added a new CSP in Windows 10, version 1803.
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following new policies for Windows 10, version 1803:
+Added the following new policies for Windows 10, version 1803:
Added new section ServicesAllowedList usage guide.
+Added new section ServicesAllowedList usage guide.
Added SyncML examples and updated the settings descriptions.
+Added SyncML examples and updated the settings descriptions.
Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.
+Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.
Added the following new policies for Windows 10, version 1803:
+Added the following new policies for Windows 10, version 1803:
Updated the XSD and Plug-in profile example for VPNv2 CSP.
+Updated the XSD and Plug-in profile example for VPNv2 CSP.
Added the following nodes in Windows 10, version 1803:
+Added the following nodes in Windows 10, version 1803:
Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.
Added a new CSP in Windows 10, version 1803.
+Added a new CSP in Windows 10, version 1803.
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following new policies for Windows 10, version 1803:
+Added the following new policies for Windows 10, version 1803:
Security/RequireDeviceEncryption - updated to show it is supported in desktop.
Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.
+Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.
Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.
+Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.
Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
+Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
Added new node (OfflineScan) in Windows 10, version 1803.
+Added new node (OfflineScan) in Windows 10, version 1803.
Added a new CSP in Windows 10, version 1803.
+Added a new CSP in Windows 10, version 1803.
Added the following nodes in Windows 10, version 1803:
+Added the following nodes in Windows 10, version 1803:
Added new section CSP DDF files download
+Added new section CSP DDF files download
Added the following policies for Windows 10, version 1709:
+Added the following policies for Windows 10, version 1709:
Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.
+Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.
Updated the following policies:
+Updated the following policies:
Added new CSP in Windows 10, version 1709.
+Added new CSP in Windows 10, version 1709.
Added SyncML examples for the new Configuration node.
+Added SyncML examples for the new Configuration node.
Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.
+Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.
Added the following new policies for Windows 10, version 1709:
+Added the following new policies for Windows 10, version 1709:
Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.
Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.
+Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.
Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
+Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
+The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
Added a SyncML example.
+Added a SyncML example.
Added RegisterDNS setting in Windows 10, version 1709.
+Added RegisterDNS setting in Windows 10, version 1709.
Added new topic to introduce a new Group Policy for automatic MDM enrollment.
+Added new topic to introduce a new Group Policy for automatic MDM enrollment.
New features in the Settings app:
+New features in the Settings app:
Added new step-by-step guide to enable ADMX-backed policies.
+Added new step-by-step guide to enable ADMX-backed policies.
Added the following statement:
+Added the following statement:
Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.
+Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.
Updated the Settings/EDPEnforcementLevel values to the following:
+Updated the Settings/EDPEnforcementLevel values to the following:
Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.
+Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.
Added the following settings in Windows 10, version 1709:
+Added the following settings in Windows 10, version 1709:
Added the following setting in Windows 10, version 1709:
+Added the following setting in Windows 10, version 1709:
Added the following new policies for Windows 10, version 1709:
+Added the following new policies for Windows 10, version 1709:
The root node for the CleanPC configuration service provider.
+The root node for the CleanPC configuration service provider.
**CleanPCWithoutRetainingUserData** -An integer specifying a CleanPC operation without any retention of user data. +
An integer specifying a CleanPC operation without any retention of user data. -
The only supported operation is Execute. +
The only supported operation is Execute. **CleanPCRetainingUserData** -
An integer specifying a CleanPC operation with retention of user data. +
An integer specifying a CleanPC operation with retention of user data. -
The only supported operation is Execute. +
The only supported operation is Execute. diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 1d42413872..44886adee0 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -23,28 +23,28 @@ The following diagram shows the CM\_CellularEntries configuration service provid  ***entryname*** -
Defines the name of the connection.
+Defines the name of the connection.
-The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.
+The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.
**AlwaysOn** -Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. +
Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. -
A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. +
A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. -
A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. +
A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. -
There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. +
There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. **AuthType** -
Optional. Type: String. Specifies the method of authentication used for a connection. +
Optional. Type: String. Specifies the method of authentication used for a connection. -
A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". +
A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". **ConnectionType** -
Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: +
Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: -
OS upgrade |
-8 months |
-1 month |
-Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+OS upgrade |
+8 months |
+1 month |
+Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
Update |
-1 month |
-1 week |
-
+ |
+Update |
+1 month |
+1 week
Note
If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
@@ -361,10 +361,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
| |
Other/cannot defer |
-No deferral |
-No deferral |
-Any update category not enumerated above falls into this category. + | Other/cannot defer |
+No deferral |
+No deferral |
+Any update category not enumerated above falls into this category. Definition Update - E0789628-CE08-4437-BE74-2495B842F43B |
BranchReadinessLevel |
-REG_DWORD |
-16: systems take Feature Updates on the Current Branch (CB) train + | BranchReadinessLevel |
+REG_DWORD |
+16: systems take Feature Updates on the Current Branch (CB) train 32: systems take Feature Updates on the Current Branch for Business Other value or absent: receive all applicable updates (CB) |
||
DeferQualityUpdates |
-REG_DWORD |
-1: defer quality updates + | DeferQualityUpdates |
+REG_DWORD |
+1: defer quality updates Other value or absent: don’t defer quality updates |
||
DeferQualityUpdatesPeriodInDays |
-REG_DWORD |
-0-30: days to defer quality updates |
+DeferQualityUpdatesPeriodInDays |
+REG_DWORD |
+0-30: days to defer quality updates |
||
PauseQualityUpdates |
-REG_DWORD |
-1: pause quality updates + | PauseQualityUpdates |
+REG_DWORD |
+1: pause quality updates Other value or absent: don’t pause quality updates |
||
DeferFeatureUpdates |
-REG_DWORD |
-1: defer feature updates + | DeferFeatureUpdates |
+REG_DWORD |
+1: defer feature updates Other value or absent: don’t defer feature updates |
||
DeferFeatureUpdatesPeriodInDays |
-REG_DWORD |
-0-180: days to defer feature updates |
+DeferFeatureUpdatesPeriodInDays |
+REG_DWORD |
+0-180: days to defer feature updates |
||
PauseFeatureUpdates |
-REG_DWORD |
-1: pause feature updates + | PauseFeatureUpdates |
+REG_DWORD |
+1: pause feature updates Other value or absent: don’t pause feature updates |
||
ExcludeWUDriversInQualityUpdate |
-REG_DWORD |
-1: exclude WU drivers + | ExcludeWUDriversInQualityUpdate |
+REG_DWORD |
+1: exclude WU drivers Other value or absent: offer WU drivers |
||
CONFIG_E_OBJECTBUSY |
-Another instance of the configuration management service is currently running. |
+CONFIG_E_OBJECTBUSY |
+Another instance of the configuration management service is currently running. |
||||
CONFIG_E_ENTRYNOTFOUND |
-No metabase entry was found. |
+CONFIG_E_ENTRYNOTFOUND |
+No metabase entry was found. |
||||
CONFIG_E_CSPEXCEPTION |
-An exception occurred in one of the configuration service providers. |
+CONFIG_E_CSPEXCEPTION |
+An exception occurred in one of the configuration service providers. |
||||
CONFIG_E_TRANSACTIONINGFAILURE |
-A configuration service provider failed to roll back properly. The affected settings might be in an unknown state. |
+CONFIG_E_TRANSACTIONINGFAILURE |
+A configuration service provider failed to roll back properly. The affected settings might be in an unknown state. |
||||
CONFIG_E_BAD_XML |
-The XML input is invalid or malformed. |
+CONFIG_E_BAD_XML |
+The XML input is invalid or malformed. |
Minimum supported client
None supported
Minimum supported client
None supported
Minimum supported server
None supported
Minimum supported server
None supported
Minimum supported phone
Windows Phone 8.1
Minimum supported phone
Windows Phone 8.1
Header
Dmprocessxmlfiltered.h
Header
Dmprocessxmlfiltered.h
Library
Dmprocessxmlfiltered.lib
Library
Dmprocessxmlfiltered.lib
DLL
Dmprocessxmlfiltered.dll
DLL
Dmprocessxmlfiltered.dll
Defines the root node for the DMSessionActions configuration service provider.
+Defines the root node for the DMSessionActions configuration service provider.
***ProviderID*** -Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
+Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
-Scope is dynamic. Supported operations are Get, Add, and Delete.
+Scope is dynamic. Supported operations are Get, Add, and Delete.
***ProviderID*/CheckinAlertConfiguration** -Node for the custom configuration of alerts to be sent during MDM sync session.
+Node for the custom configuration of alerts to be sent during MDM sync session.
***ProviderID*/CheckinAlertConfiguration/Nodes** -Required. Root node for URIs to be queried. Scope is dynamic.
+Required. Root node for URIs to be queried. Scope is dynamic.
-Supported operation is Get.
+Supported operation is Get.
***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*** -Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
+Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
-Supported operations are Get, Add, and Delete.
+Supported operations are Get, Add, and Delete.
***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI** -Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**AlertData** -Node to query the custom alert per server configuration
-Value type is string. Supported operation is Get.
+Node to query the custom alert per server configuration
+Value type is string. Supported operation is Get.
**PowerSettings** -Node for power-related configrations
+Node for power-related configrations
**PowerSettings/MaxSkippedSessionsInLowPowerState** -Maximum number of continuous skipped sync sessions when the device is in low-power state.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Maximum number of continuous skipped sync sessions when the device is in low-power state.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**PowerSettings/MaxTimeSessionsSkippedInLowPowerState** -Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 3716a1c54a..3b59ea0c12 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -33,12 +33,12 @@ DynamicManagement ----AlertsEnabled ``` **DynamicManagement** -The root node for the DynamicManagement configuration service provider.
+The root node for the DynamicManagement configuration service provider.
**NotificationsEnabled** -Boolean value for sending notification to the user of a context change.
-Default value is False. Supported operations are Get and Replace.
-Example to turn on NotificationsEnabled:
+Boolean value for sending notification to the user of a context change.
+Default value is False. Supported operations are Get and Replace.
+Example to turn on NotificationsEnabled:
```xmlA string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..
-Supported operation is Get.
+A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..
+Supported operation is Get.
**Contexts** -Node for context information.
-Supported operation is Get.
+Node for context information.
+Supported operation is Get.
***ContextID*** -Node created by the server to define a context. Maximum number of characters allowed is 38.
-Supported operations are Add, Get, and Delete.
+Node created by the server to define a context. Maximum number of characters allowed is 38.
+Supported operations are Add, Get, and Delete.
**SignalDefinition** -Signal Definition XML.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Signal Definition XML.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**SettingsPack** -Settings that get applied when the Context is active.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Settings that get applied when the Context is active.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**SettingsPackResponse** -Response from applying a Settings Pack that contains information on each individual action.
-Value type is string. Supported operation is Get.
+Response from applying a Settings Pack that contains information on each individual action.
+Value type is string. Supported operation is Get.
**ContextStatus** -Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.
-Value type is integer. Supported operation is Get.
+Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.
+Value type is integer. Supported operation is Get.
**Altitude** -A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
-Value type is integer. Supported operations are Add, Get, Delete, and Replace.
+A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
+Value type is integer. Supported operations are Add, Get, Delete, and Replace.
**AlertsEnabled** -A Boolean value for sending an alert to the server when a context fails.
-Supported operations are Get and Replace.
+A Boolean value for sending an alert to the server when a context fails.
+Supported operations are Get and Replace.
## Examples diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index c271c1dbe6..f82e763f75 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -39,40 +39,40 @@ EnterpriseAPN --------HideView ``` **EnterpriseAPN** -The root node for the EnterpriseAPN configuration service provider.
+The root node for the EnterpriseAPN configuration service provider.
**EnterpriseAPN/***ConnectionName* -Name of the connection as seen by Windows Connection Manager.
+Name of the connection as seen by Windows Connection Manager.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/APNName** -Enterprise APN name.
+Enterprise APN name.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IPType** -This value can be one of the following:
+This value can be one of the following:
- IPv4 - only IPV4 connection type - IPv6 - only IPv6 connection type - IPv4v6 (default)- IPv4 and IPv6 concurrently. - IPv4v6xlat - IPv6 with IPv4 provided by 46xlat -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IsAttachAPN** -Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.
+Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/ClassId** -GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.
+GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/AuthType** -Authentication type. This value can be one of the following:
+Authentication type. This value can be one of the following:
- None (default) - Auto @@ -80,39 +80,39 @@ EnterpriseAPN - CHAP - MSCHAPv2 -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/UserName** -User name for use with PAP, CHAP, or MSCHAPv2 authentication.
+User name for use with PAP, CHAP, or MSCHAPv2 authentication.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Password** -Password corresponding to the username.
+Password corresponding to the username.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IccId** -Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
+Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/AlwaysOn** -Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
+Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
-The default value is true.
+The default value is true.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Enabled** -Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
+Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
-The default value is true.
+The default value is true.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Roaming** -Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:
+Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:
Default is 1 (all roaming allowed).
+Default is 1 (all roaming allowed).
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/Settings** -Added in Windows 10, version 1607. Node that contains global settings.
+Added in Windows 10, version 1607. Node that contains global settings.
**EnterpriseAPN/Settings/AllowUserControl** -Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
+Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
-The default value is false.
+The default value is false.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**EnterpriseAPN/Settings/HideView** -Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
+Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
-The default value is false.
+The default value is false.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
## Examples diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 9a0893f98e..cb948488da 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -45,68 +45,68 @@ EnterpriseAppVManagement ------------Policy ``` **./Vendor/MSFT/EnterpriseAppVManagement** -Root node for the EnterpriseAppVManagement configuration service provider.
+Root node for the EnterpriseAppVManagement configuration service provider.
**AppVPackageManagement** -Used to query App-V package information (post-publish).
+Used to query App-V package information (post-publish).
**AppVPackageManagement/EnterpriseID** -Used to query package information. Value is always "HostedInstall".
+Used to query package information. Value is always "HostedInstall".
**AppVPackageManagement/EnterpriseID/PackageFamilyName** -Package ID of the published App-V package.
+Package ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*** -Version ID of the published App-V package.
+Version ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name** -Name specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Name specified in the published AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version** -Version specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Version specified in the published AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher** -Publisher as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Publisher as specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation** -Local package path specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Local package path specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate** -Date the app was installed, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Date the app was installed, as specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users** -Registered users for app, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Registered users for app, as specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId** -Package ID of the published App-V package.
-Value type is string. Supported operation is Get.
+Package ID of the published App-V package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId** -Version ID of the published App-V package.
-Value type is string. Supported operation is Get.
+Version ID of the published App-V package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri** -Package URI of the published App-V package.
-Value type is string. Supported operation is Get.
+Package URI of the published App-V package.
+Value type is string. Supported operation is Get.
**AppVPublishing** -Used to monitor publishing operations on App-V.
+Used to monitor publishing operations on App-V.
**AppVPublishing/LastSync** -Used to monitor publishing status of last sync operation.
+Used to monitor publishing status of last sync operation.
**AppVPublishing/LastSync/LastError** -Error code and error description of last sync operation.
-Value type is string. Supported operation is Get.
+Error code and error description of last sync operation.
+Value type is string. Supported operation is Get.
**AppVPublishing/LastSync/LastErrorDescription** -Last sync error status. One of the following values may be returned:
+Last sync error status. One of the following values may be returned:
- SYNC\_ERR_NONE (0) - No errors during publish. - SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish. @@ -116,10 +116,10 @@ EnterpriseAppVManagement - SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish. - SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish. -Value type is string. Supported operation is Get.
+Value type is string. Supported operation is Get.
**AppVPublishing/LastSync/SyncStatusDescription** -Latest sync in-progress stage. One of the following values may be returned:
+Latest sync in-progress stage. One of the following values may be returned:
- SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle. - SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress. @@ -127,9 +127,9 @@ EnterpriseAppVManagement - SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress. - SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress. -Value type is string. Supported operation is Get.
+Value type is string. Supported operation is Get.
-AppVPublishing/LastSync/SyncProgressLatest sync state. One of the following values may be returned:
+AppVPublishing/LastSync/SyncProgressLatest sync state. One of the following values may be returned:
- SYNC\_STATUS_IDLE (0) - App-V Sync is idle. - SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing. @@ -137,22 +137,22 @@ EnterpriseAppVManagement - SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete. - SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot. -Value type is string. Supported operation is Get.
+Value type is string. Supported operation is Get.
**AppVPublishing/Sync** -Used to perform App-V synchronization.
+Used to perform App-V synchronization.
**AppVPublishing/Sync/PublishXML** -Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.
-Supported operations are Get, Delete, and Execute.
+Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.
+Supported operations are Get, Delete, and Execute.
**AppVDynamicPolicy** -Used to set App-V Policy Configuration documents for publishing packages.
+Used to set App-V Policy Configuration documents for publishing packages.
**AppVDynamicPolicy/*ConfigurationId*** -ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
+ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
**AppVDynamicPolicy/*ConfigurationId*/Policy** -XML for App-V Policy Configuration documents for publishing packages.
-Value type is xml. Supported operations are Add, Get, Delete, and Replace.
\ No newline at end of file +XML for App-V Policy Configuration documents for publishing packages.
+Value type is xml. Supported operations are Add, Get, Delete, and Replace.
\ No newline at end of file diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index 12f02b683f..58fdde76ab 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -40,10 +40,10 @@ EnterpriseExtFileSystem The following list describes the characteristics and parameters. **./Vendor/MSFT/EnterpriseExtFileSystem** -The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.
+The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.
**Persistent** -The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.
+The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.
> **Important** There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer. > @@ -54,24 +54,24 @@ The following list describes the characteristics and parameters. **NonPersistent** -The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.
+The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.
-When the device is wiped, any data stored in the NonPersistent folder is deleted.
+When the device is wiped, any data stored in the NonPersistent folder is deleted.
**OemProfile** -Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.
+Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.
***Directory*** -The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.
+The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.
-Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.
+Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.
-Use the Get command to return the list of child node names under Directory.
+Use the Get command to return the list of child node names under Directory.
-Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.
+Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.
***Filename*** -The name of a file in the device file system.
+The name of a file in the device file system.
Supported operations is Get. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 19fbe15c22..2d9fbf4570 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -103,68 +103,68 @@ Firewall ----------------Name ``` **./Vendor/MSFT/Firewall** -Root node for the Firewall configuration service provider.
+Root node for the Firewall configuration service provider.
**MdmStore** -Interior node.
-Supported operation is Get.
+Interior node.
+Supported operation is Get.
**MdmStore/Global** -Interior node.
-Supported operations are Get.
+Interior node.
+Supported operations are Get.
**MdmStore/Global/PolicyVersionSupported** -Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
-Value type in integer. Supported operation is Get.
+Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
+Value type in integer. Supported operation is Get.
**MdmStore/Global/CurrentProfiles** -Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
-Value type in integer. Supported operation is Get.
+Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
+Value type in integer. Supported operation is Get.
**MdmStore/Global/DisableStatefulFtp** -Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
-Default value is false.
-Data type is bool. Supported operations are Add, Get, Replace, and Delete.
+Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
+Default value is false.
+Data type is bool. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/SaIdleTime** -This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 300.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 300.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PresharedKeyEncoding** -Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 1.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 1.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/IPsecExempt** -This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/CRLcheck** -This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
+This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PolicyVersion** -This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
-Value type is string. Supported operation is Get.
+This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
+Value type is string. Supported operation is Get.
**MdmStore/Global/BinaryVersionSupported** -This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
-Value type is string. Supported operation is Get.
+This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
+Value type is string. Supported operation is Get.
**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Boolean value. Supported operations are Add, Get, Replace, and Delete.
+This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Boolean value. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/EnablePacketQueue** -This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
+This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/DomainProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**MdmStore/PrivateProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**MdmStore/PublicProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**/EnableFirewall** -Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableStealthMode** -Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/Shielded** -Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
-Default value is false.
-Value type is bool. Supported operations are Get and Replace.
+Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
+Default value is false.
+Value type is bool. Supported operations are Get and Replace.
**/DisableUnicastResponsesToMulticastBroadcast** -Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableInboundNotifications** -Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AuthAppsAllowUserPrefMerge** -Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/GlobalPortsAllowUserPrefMerge** -Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalPolicyMerge** -Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalIpsecPolicyMerge** -Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DefaultOutboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.
Default value is 0 (allow).
-Value type is integer. Supported operations are Add, Get and Replace.
+Default value is 0 (allow).
+Value type is integer. Supported operations are Add, Get and Replace.
Sample syncxml to provision the firewall settings to evaluate @@ -263,70 +263,70 @@ Sample syncxml to provision the firewall settings to evaluate ``` **/DefaultInboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
Default value is 1 (block).
-Value type is integer. Supported operations are Add, Get and Replace.
+Default value is 1 (block).
+Value type is integer. Supported operations are Add, Get and Replace.
**/DisableStealthModeIpsecSecuredPacketExemption** -Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**FirewallRules** -A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
**FirewallRules/_FirewallRuleName_** -Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
-Supported operations are Add, Get, Replace, and Delete.
+Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App** -Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
+Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
If not specified, the default is All.
-Supported operation is Get.
+If not specified, the default is All.
+Supported operation is Get.
**FirewallRules/_FirewallRuleName_/App/PackageFamilyName** -This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/FilePath** -This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/Fqbn** -Fully Qualified Binary Name
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Fully Qualified Binary Name
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/ServiceName** -This is a service name used in cases when a service, not an application, is sending or receiving traffic.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This is a service name used in cases when a service, not an application, is sending or receiving traffic.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Protocol** -0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-If not specified, the default is All.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+0-255 number representing the ip protocol (TCP = 6, UDP = 17)
+If not specified, the default is All.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalPortRanges** -Comma separated list of ranges. For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges. For example, 100-120,200,300-320.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/RemotePortRanges** -Comma separated list of ranges, For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges, For example, 100-120,200,300-320.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/*FirewallRuleName*/LocalAddressRanges** -Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
+Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/*FirewallRuleName*/RemoteAddressRanges** -List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
-The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
**FirewallRules/_FirewallRuleName_/Description** -Specifies the description of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the description of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Enabled** -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -
If not specified - a new rule is enabled by default.
-Boolean value. Supported operations are Get and Replace.
+Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +
If not specified - a new rule is enabled by default.
+Boolean value. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Profiles** -Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
-If not specified, the default is All.
-Value type is integer. Supported operations are Get and Replace.
+Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
+If not specified, the default is All.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Action** -Specifies the action for the rule.
-Supported operation is Get.
+Specifies the action for the rule.
+Supported operation is Get.
**FirewallRules/_FirewallRuleName_/Action/Type** -Specifies the action the rule enforces. Supported values:
+Specifies the action the rule enforces. Supported values:
If not specified, the default is allow.
-Value type is integer. Supported operations are Get and Replace.
+If not specified, the default is allow.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Direction** -The rule is enabled based on the traffic direction as following. Supported values:
+The rule is enabled based on the traffic direction as following. Supported values:
Value type is string. Supported operations are Get and Replace.
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/InterfaceTypes** -Comma separated list of interface types. Valid values:
+Comma separated list of interface types. Valid values:
If not specified, the default is All.
-Value type is string. Supported operations are Get and Replace.
+If not specified, the default is All.
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/EdgeTraversal** -Indicates whether edge traversal is enabled or disabled for this rule.
-The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
-New rules have the EdgeTraversal property disabled by default.
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+Indicates whether edge traversal is enabled or disabled for this rule.
+The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
+New rules have the EdgeTraversal property disabled by default.
+Value type is bool. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Status** -Provides information about the specific version of the rule in deployment for monitoring purposes.
-Value type is string. Supported operation is Get.
+Provides information about the specific version of the rule in deployment for monitoring purposes.
+Value type is string. Supported operation is Get.
**FirewallRules/_FirewallRuleName_/Name** -Name of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Name of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 03fb5b432d..e570b9890d 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -26,18 +26,18 @@ The following is a list of functions performed by the Device HealthAttestation C ## Terms **TPM (Trusted Platform Module)** -TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.
+TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.
**DHA (Device HealthAttestation) feature** -The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
+The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
**DHA-Enabled device (Device HealthAttestation enabled device)** -A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
+A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
**DHA-Session (Device HealthAttestation session)** -The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
-The following list of transactions is performed in one DHA-Session:
+The following list of transactions is performed in one DHA-Session:
The following list of data is produced or consumed in one DHA-Transaction:
+The following list of data is produced or consumed in one DHA-Transaction:
Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
-DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
-The following list of operations is performed by DHA-Enabled-MDM
+Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
+DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
+The following list of operations is performed by DHA-Enabled-MDM
The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
-The following list of operations is performed by DHA-CSP:
+The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
+The following list of operations is performed by DHA-CSP:
Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
+Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
-DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
-The following list of operations is performed by DHA-Service:
+DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
+The following list of operations is performed by DHA-Service:
- Receives device boot data (DHA-BootData) from a DHA-Enabled device(DHA-Cloud)
DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
+(DHA-Cloud)
DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
(DHA-OnPrem)
DHA-OnPrem refers to DHA-Service that is running on premises:
+(DHA-OnPrem)
DHA-OnPrem refers to DHA-Service that is running on premises:
(DHA-EMC)
DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
+(DHA-EMC)
DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
The root node for the device HealthAttestation configuration service provider.
+The root node for the device HealthAttestation configuration service provider.
**VerifyHealth** (Required) -Notifies the device to prepare a device health verification request.
+Notifies the device to prepare a device health verification request.
-The supported operation is Execute.
+The supported operation is Execute.
**Status** (Required) -Provides the current status of the device health request.
+Provides the current status of the device health request.
-The supported operation is Get.
+The supported operation is Get.
-The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.
+The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device @@ -213,35 +213,35 @@ HealthAttestation - 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up **ForceRetrieve** (Optional) -Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
+Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
-Boolean value. The supported operation is Replace.
+Boolean value. The supported operation is Replace.
**Certificate** (Required) -Instructs the DHA-CSP to forward DHA-Data to the MDM server.
+Instructs the DHA-CSP to forward DHA-Data to the MDM server.
-Value type is b64.The supported operation is Get.
+Value type is b64.The supported operation is Get.
**Nonce** (Required) -Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
+Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
-The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
-The supported operations are Get and Replace.
+The supported operations are Get and Replace.
**CorrelationId** (Required) -Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
+Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
-Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
+Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
**HASEndpoint** (Optional) -Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
+Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
-Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
+Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
**TpmReadyStatus** (Required) -Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
-Value type is integer. The supported operation is Get.
+Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
+Value type is integer. The supported operation is Get.
## **DHA-CSP integration steps** @@ -508,14 +508,14 @@ The following list of data points are verified by the DHA-Service in DHA-Report Each of these are described in further detail in the following sections, along with the recommended actions to take. **Issued** -The date and time DHA-report was evaluated or issued to MDM.
+The date and time DHA-report was evaluated or issued to MDM.
**AIKPresent** -When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
+When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
-If AIKPresent = True (1), then allow access.
+If AIKPresent = True (1), then allow access.
-If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
+If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -523,24 +523,24 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) -This attribute reports the number of times a PC device has hibernated or resumed.
+This attribute reports the number of times a PC device has hibernated or resumed.
**RestartCount** (Reported only for devices that support TPM 2.0) -This attribute reports the number of times a PC device has rebooted
+This attribute reports the number of times a PC device has rebooted
**DEPPolicy** -A device can be trusted more if the DEP Policy is enabled on the device.
+A device can be trusted more if the DEP Policy is enabled on the device.
-Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
-DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** - To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** -If DEPPolicy = 1 (On), then allow access.
+If DEPPolicy = 1 (On), then allow access.
-If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -548,15 +548,15 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) -When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
+When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
-Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
+Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
-If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
+If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
-If BitLockerStatus = 1 (On), then allow access.
+If BitLockerStatus = 1 (On), then allow access.
-If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -564,11 +564,11 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** -This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
+This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
-If BootManagerRevListVersion = [CurrentVersion], then allow access.
+If BootManagerRevListVersion = [CurrentVersion], then allow access.
-If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI and MBI assets @@ -576,11 +576,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion** -This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
+This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
-If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
+If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
-If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI and MBI assets @@ -588,11 +588,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled** -When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
+When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
-If SecureBootEnabled = 1 (True), then allow access.
+If SecureBootEnabled = 1 (True), then allow access.
-If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -600,16 +600,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
+Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
-Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** - To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** -If BootdebuggingEnabled = 0 (False), then allow access.
+If BootdebuggingEnabled = 0 (False), then allow access.
-If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -617,11 +617,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled** -OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
+OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
-If OSKernelDebuggingEnabled = 0 (False), then allow access.
+If OSKernelDebuggingEnabled = 0 (False), then allow access.
-If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -629,15 +629,15 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled** -When code integrity is enabled, code execution is restricted to integrity verified code.
+When code integrity is enabled, code execution is restricted to integrity verified code.
-Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
+Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
-On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-If CodeIntegrityEnabled = 1 (True), then allow access.
+If CodeIntegrityEnabled = 1 (True), then allow access.
-If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -645,16 +645,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** -When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
+When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
-Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** - To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** -If TestSigningEnabled = 0 (False), then allow access.
+If TestSigningEnabled = 0 (False), then allow access.
-If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI and MBI assets @@ -662,33 +662,33 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode** -Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
+Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
-If SafeMode = 0 (False), then allow access.
+If SafeMode = 0 (False), then allow access.
-If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
+If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **WinPE** -Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
+Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
-If WinPE = 0 (False), then allow access.
+If WinPE = 0 (False), then allow access.
-If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
+If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
**ELAMDriverLoaded** (Windows Defender) -To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
+To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
-In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.
+In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.
-If a device is expected to use a 3rd party antivirus program, ignore the reported state.
+If a device is expected to use a 3rd party antivirus program, ignore the reported state.
-If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
-If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
- Disallow all access - Disallow access to HBI assets @@ -696,61 +696,61 @@ Each of these are described in further detail in the following sections, along w **Bcdedit.exe /set {current} vsmlaunchtype auto** -If ELAMDriverLoaded = 1 (True), then allow access.
+If ELAMDriverLoaded = 1 (True), then allow access.
-If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
+If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** -Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.
+Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.
-VSM can be enabled by using the following command in WMI or a PowerShell script:
+VSM can be enabled by using the following command in WMI or a PowerShell script:
-bcdedit.exe /set {current} vsmlaunchtype auto
+bcdedit.exe /set {current} vsmlaunchtype auto
-If VSMEnabled = 1 (True), then allow access.
-If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If VSMEnabled = 1 (True), then allow access.
+If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue **PCRHashAlgorithmID** -This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
+This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
**BootAppSVN** -This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
+This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
-If reported BootAppSVN equals an accepted value, then allow access.
+If reported BootAppSVN equals an accepted value, then allow access.
-If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **BootManagerSVN** -This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
+This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
-If reported BootManagerSVN equals an accepted value, then allow access.
+If reported BootManagerSVN equals an accepted value, then allow access.
-If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **TPMVersion** -This attribute identifies the version of the TPM that is running on the attested device.
-TPMVersion node provides to replies "1" and "2":
+This attribute identifies the version of the TPM that is running on the attested device.
+TPMVersion node provides to replies "1" and "2":
Based on the reply you receive from TPMVersion node:
+Based on the reply you receive from TPMVersion node:
- If reported TPMVersion equals an accepted value, then allow access. - If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: @@ -758,63 +758,63 @@ Each of these are described in further detail in the following sections, along w - Direct the device to an enterprise honeypot, to further monitor the device's activities. **PCR0** -The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
+The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
-Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
+Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
-If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
+If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
-If PCR[0] equals an accepted allow list value, then allow access.
+If PCR[0] equals an accepted allow list value, then allow access.
-If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
+If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **SBCPHash** -SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
+SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
-If SBCPHash is not present, or is an accepted allow-listed value, then allow access. +
If SBCPHash is not present, or is an accepted allow-listed value, then allow access. -
If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
+If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **CIPolicy** -This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
+This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
-If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
+If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
-If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
+If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **BootRevListInfo** -This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
+This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
-If reported BootRevListInfo version equals an accepted value, then allow access.
+If reported BootRevListInfo version equals an accepted value, then allow access.
-If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **OSRevListInfo** -This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
+This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
-If reported OSRevListInfo version equals an accepted value, then allow access.
+If reported OSRevListInfo version equals an accepted value, then allow access.
-If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **HealthStatusMismatchFlags** -HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
+HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
-In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
+In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
## **Device HealthAttestation CSP status and error codes** @@ -825,204 +825,204 @@ Each of these are described in further detail in the following sections, along wApplication data
The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
Application data
The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
Licensing models
Offline vs. Online
+Licensing models
Offline vs. Online
Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
Root node for the Messaging configuration service provider.
+Root node for the Messaging configuration service provider.
**AuditingLevel** -Turns on the "Text" auditing feature.
-The following list shows the supported values:
+Turns on the "Text" auditing feature.
+The following list shows the supported values:
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**Auditing** -Node for auditing.
-Supported operation is Get.
+Node for auditing.
+Supported operation is Get.
**Messages** -Node for messages.
-Supported operation is Get.
+Node for messages.
+Supported operation is Get.
**Count** -The number of messages to return in the Data setting. The default is 100.
-Supported operations are Get and Replace.
+The number of messages to return in the Data setting. The default is 100.
+Supported operations are Get and Replace.
**RevisionId** -Retrieves messages whose revision ID is greater than RevisionId.
-Supported operations are Get and Replace.
+Retrieves messages whose revision ID is greater than RevisionId.
+Supported operations are Get and Replace.
**Data** -The JSON string of text messages on the device.
-Supported operations are Get and Replace.
+The JSON string of text messages on the device.
+Supported operations are Get and Replace.
**SyncML example** diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 6c898afe02..ceacdde6dd 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -140,53 +140,53 @@ The enrollment server can decline enrollment messages using the SOAP Fault formas:
MessageFormat
MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
Message format is bad
80180001
s:
MessageFormat
MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
Message format is bad
80180001
s:
Authentication
MENROLL_E_DEVICE_AUTHENTICATION_ERROR
User not recognized
80180002
s:
Authentication
MENROLL_E_DEVICE_AUTHENTICATION_ERROR
User not recognized
80180002
s:
Authorization
MENROLL_E_DEVICE_AUTHORIZATION_ERROR
User not allowed to enroll
80180003
s:
Authorization
MENROLL_E_DEVICE_AUTHORIZATION_ERROR
User not allowed to enroll
80180003
s:
CertificateRequest
MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR
Failed to get certificate
80180004
s:
CertificateRequest
MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR
Failed to get certificate
80180004
s:
EnrollmentServer
MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
80180005
s:
EnrollmentServer
MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
80180005
a:
InternalServiceFault
MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
The server hit an unexpected issue
80180006
a:
InternalServiceFault
MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
The server hit an unexpected issue
80180006
a:
InvalidSecurity
MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
Cannot parse the security header
80180007
a:
InvalidSecurity
MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
Cannot parse the security header
80180007
DeviceCapReached
MENROLL_E_DEVICECAPREACHED
User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.
80180013
DeviceCapReached
MENROLL_E_DEVICECAPREACHED
User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.
80180013
DeviceNotSupported
MENROLL_E_DEVICENOTSUPPORTED
Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.
80180014
DeviceNotSupported
MENROLL_E_DEVICENOTSUPPORTED
Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.
80180014
NotSupported
MENROLL_E_NOTSUPPORTED
Mobile device management generally not supported (would save an admin call)
80180015
NotSupported
MENROLL_E_NOTSUPPORTED
Mobile device management generally not supported (would save an admin call)
80180015
NotEligibleToRenew
MENROLL_E_NOTELIGIBLETORENEW
Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.
80180016
NotEligibleToRenew
MENROLL_E_NOTELIGIBLETORENEW
Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.
80180016
InMaintenance
MENROLL_E_INMAINTENANCE
Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.
80180017
InMaintenance
MENROLL_E_INMAINTENANCE
Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.
80180017
UserLicense
MENROLL_E_USERLICENSE
License of user is in bad state and blocking the enrollment. The user needs to call the admin.
80180018
UserLicense
MENROLL_E_USERLICENSE
License of user is in bad state and blocking the enrollment. The user needs to call the admin.
80180018
InvalidEnrollmentData
MENROLL_E_ENROLLMENTDATAINVALID
The server rejected the enrollment data. The server may not be configured correctly.
80180019
InvalidEnrollmentData
MENROLL_E_ENROLLMENTDATAINVALID
The server rejected the enrollment data. The server may not be configured correctly.
80180019
The root node for the NetworkQoSPolicy configuration service provider.
+The root node for the NetworkQoSPolicy configuration service provider.
**Version** -Specifies the version information. +
Specifies the version information. -
The data type is int. +
The data type is int. -
The only supported operation is Get. +
The only supported operation is Get. ***Name*** -
Node for the QoS policy name. +
Node for the QoS policy name. ***Name*/IPProtocolMatchCondition** -
Specifies the IP protocol used to match the network traffic. +
Specifies the IP protocol used to match the network traffic. -
Valid values are: +
Valid values are: - 0 (default) - Both TCP and UDP - 1 - TCP - 2 - UDP -
The data type is int. +
The data type is int. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/AppPathNameMatchCondition** -
Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. +
Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. -
The data type is char. +
The data type is char. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/SourcePortMatchCondition** -
Specifies a single port or a range of ports to be used to match the network traffic source. +
Specifies a single port or a range of ports to be used to match the network traffic source. -
Valid values are: +
Valid values are: - A range of source ports: _[first port number]_-_[last port number]_ - A single source port: _[port number]_ -
The data type is char. +
The data type is char. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/DestinationPortMatchCondition** -
Specifies a single source port or a range of ports to be used to match the network traffic destination. +
Specifies a single source port or a range of ports to be used to match the network traffic destination. -
Valid values are: +
Valid values are: - A range of destination ports: _[first port number]_-_[last port number]_ - A single destination port: _[port number]_ -
The data type is char. +
The data type is char. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/PriorityValue8021Action** -
Specifies the IEEE 802.1p priority value to apply to matching network traffic. +
Specifies the IEEE 802.1p priority value to apply to matching network traffic. -
Valid values are 0-7. +
Valid values are 0-7. -
The data type is int. +
The data type is int. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/DSCPAction** -
The differentiated services code point (DSCP) value to apply to matching network traffic. +
The differentiated services code point (DSCP) value to apply to matching network traffic. -
Valid values are 0-63. +
Valid values are 0-63. -
The data type is int. +
The data type is int. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ## Related topics diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 40757af748..5e8ad6957f 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -48,8 +48,8 @@ The following table shows the OMA DM standards that Windows uses.
Data transport and session
Data transport and session
Client-initiated remote HTTPS DM session over SSL.
Remote HTTPS DM session over SSL.
Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
Bootstrap XML
Bootstrap XML
OMA Client Provisioning XML.
DM protocol commands
The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
+DM protocol commands
The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
Add (Implicit Add supported)
Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
Meta XML tag in SyncHdr is ignored by the device.
OMA DM standard objects
OMA DM standard objects
DevInfo
DevDetail
OMA DM DMS account objects (OMA DM version 1.2)
Security
Security
Authenticate DM server initiation notification SMS message (not used by enterprise management)
Application layer Basic and MD5 client authentication
Authenticate server with MD5 credential at application level
Nodes
In the OMA DM tree, the following rules apply for the node name:
+Nodes
In the OMA DM tree, the following rules apply for the node name:
"." can be part of the node name.
The node name cannot be empty.
Provisioning Files
Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.
+Provisioning Files
Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.
If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
@@ -133,12 +133,12 @@ The following table shows the OMA DM standards that Windows uses.WBXML support
Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.
WBXML support
Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.
Handling of large objects
In Windows 10, version 1511, client support for uploading large objects to the server was added.
Handling of large objects
In Windows 10, version 1511, client support for uploading large objects to the server was added.
Chal
Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.
Chal
Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.
Cmd
Specifies the name of an OMA DM command referenced in a Status element.
Cmd
Specifies the name of an OMA DM command referenced in a Status element.
CmdID
Specifies the unique identifier for an OMA DM command.
CmdID
Specifies the unique identifier for an OMA DM command.
CmdRef
Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.
CmdRef
Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.
Cred
Specifies the authentication credential for the originator of the message.
Cred
Specifies the authentication credential for the originator of the message.
Final
Indicates that the current message is the last message in the package.
Final
Indicates that the current message is the last message in the package.
LocName
Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.
LocName
Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.
LocURI
Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
LocURI
Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
MsgID
Specifies a unique identifier for an OMA DM session message.
MsgID
Specifies a unique identifier for an OMA DM session message.
MsgRef
Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.
MsgRef
Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.
RespURI
Specifies the URI that the recipient must use when sending a response to this message.
RespURI
Specifies the URI that the recipient must use when sending a response to this message.
SessionID
Specifies the identifier of the OMA DM session associated with the containing message.
+SessionID
Specifies the identifier of the OMA DM session associated with the containing message.
Source
Specifies the message source address.
Source
Specifies the message source address.
SourceRef
Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.
SourceRef
Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.
Target
Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.
Target
Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.
TargetRef
Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.
TargetRef
Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.
VerDTD
Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.
VerDTD
Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.
VerProto
Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.
VerProto
Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.
1
DM client is invoked to call back to the management server
+1
DM client is invoked to call back to the management server
Enterprise scenario – The device task schedule invokes the DM client.
The MO server sends a server trigger message to invoke the DM client.
+The MO server sends a server trigger message to invoke the DM client.
The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
2
The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
2
The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
3
The DM server responds, over an IP connection (HTTPS).
The server sends initial device management commands, if any.
3
The DM server responds, over an IP connection (HTTPS).
The server sends initial device management commands, if any.
4
The device responds to server management commands.
This message includes the results of performing the specified device management operations.
4
The device responds to server management commands.
This message includes the results of performing the specified device management operations.
5
The DM server terminates the session or sends another command.
The DM session ends, or Step 4 is repeated.
5
The DM server terminates the session or sends another command.
The DM session ends, or Step 4 is repeated.
Defines the root node for the Personalization configuration service provider.
+Defines the root node for the Personalization configuration service provider.
**DesktopImageUrl** -Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**DesktopImageStatus** -Represents the status of the desktop image. Valid values:
+Represents the status of the desktop image. Valid values:
Supporter operation is Get.
+Supporter operation is Get.
> [!Note] > This setting is only used to query status. To set the image, use the DesktopImageUrl setting. **LockScreenImageUrl** -Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**LockScreenImageStatus** -Represents the status of the lock screen image. Valid values:
+Represents the status of the lock screen image. Valid values:
Supporter operation is Get.
+Supporter operation is Get.
> [!Note] > This setting is only used to query status. To set the image, use the LockScreenImageUrl setting. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index da0f0543dc..a03f3f09f7 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -48,24 +48,24 @@ The following diagram shows the Policy configuration service provider in tree fo **./Vendor/MSFT/Policy** -The root node for the Policy configuration service provider. +
The root node for the Policy configuration service provider. -
Supported operation is Get. +
Supported operation is Get. **Policy/Config** -
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. +
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. -
Supported operation is Get. +
Supported operation is Get. **Policy/Config/_AreaName_** -
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. +
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/Config/_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. +
Specifies the name/value pair used in the policy. -
The following list shows some tips to help you when configuring policies: +
The following list shows some tips to help you when configuring policies: - Separate substring values by the Unicode &\#xF000; in the XML file. @@ -77,59 +77,59 @@ The following diagram shows the Policy configuration service provider in tree fo - Value type is string. **Policy/Result** -
Groups the evaluated policies from all providers that can be configured. +
Groups the evaluated policies from all providers that can be configured. -
Supported operation is Get. +
Supported operation is Get. **Policy/Result/_AreaName_** -
The area group that can be configured by a single technology independent of the providers. +
The area group that can be configured by a single technology independent of the providers. -
Supported operation is Get. +
Supported operation is Get. **Policy/Result/_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. +
Specifies the name/value pair used in the policy. -
Supported operation is Get. +
Supported operation is Get. **Policy/ConfigOperations** -
Added in Windows 10, version 1703. The root node for grouping different configuration operations. +
Added in Windows 10, version 1703. The root node for grouping different configuration operations. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall** -
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
+
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
-
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
+
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
-
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_** -
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. +
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** -
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. +
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. +
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. -
Supported operations are Add and Get. Does not support Delete. +
Supported operations are Add and Get. Does not support Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** -
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. +
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. +
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. -
Supported operations are Add and Get. Does not support Delete. +
Supported operations are Add and Get. Does not support Delete. ## Policies diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index b394ffb753..3df3e81293 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -761,7 +761,7 @@ PIN enforces the following behavior for desktop and mobile devices: The default value is 1. The following list shows the supported values and actual enforced values: -
Mobile |
-1,2,3,4 |
-Same as the value set |
+Mobile |
+1,2,3,4 |
+Same as the value set |
Desktop Local Accounts |
-1,2,3 |
-3 |
+Desktop Local Accounts |
+1,2,3 |
+3 |
Desktop Microsoft Accounts |
-1,2 |
-<p2 | +Desktop Microsoft Accounts |
+1,2 |
+<p2 |
Desktop Domain Accounts |
-Not supported |
-Not supported | +Desktop Domain Accounts |
+Not supported |
+Not supported |