deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Incorporated feedback from dev

Browse Source
This commit is contained in:
ManikaDhiman 2019-09-27 16:49:53 -07:00
parent fdd7ffe269
commit fe499c3a1f
2 changed files with 373 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

334
windows/client-management/mdm/bitlocker-csp.md
View File

@ -6,12 +6,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
ms.date: 09/19/2019
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# BitLocker CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
> [!NOTE]
@ -520,7 +523,8 @@ Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery informatio
Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
&gt; [!Note]<br/>&gt; If the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
> [!Note]
> If the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
@ -533,25 +537,17 @@ Sample value for this node to enable this policy is:
```
The possible values for &#39;xx&#39; are:
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
<li></li>
</ul>
- true = Explicitly allow
- false = Policy not set
The possible values for &#39;yy&#39; are:
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
- 2 = Allowed
- 1 = Required
- 0 = Disallowed
The possible values for &#39;zz&#39; are:
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
<li></li>
</ul>
- 2 = Store recovery passwords only
- 1 = Store recovery passwords and key packages
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
@ -896,6 +892,160 @@ If you want to disable this policy use the following SyncML:
</Item>
</Replace>
```
<a href="" id="configurerecoverypasswordrotation"></a>**ConfigureRecoveryPasswordRotation**
This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is int. Supported operations are Add, Delete, Get, and Replace.
Supported values are:
- 0 Refresh off (default)
- 1 Refresh on for Azure AD-joined devices
- 2 Refresh on for both Azure AD-joined and hybrid-joined devices
<a href="" id="rotaterecoverypasswords"></a>**RotateRecoveryPasswords**
This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed.
Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client will not retry, but if needed, the server can re-issue the execute request.
Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh.
Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices cannot refresh recovery passwords if they are only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account.
Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
<a href="" id="status"></a>**Status**
Interior node. Supported operation is Get.
<a href="" id="status-deviceencryptionstatus"></a>**Status/DeviceEncryptionStatus**
This node reports compliance state of device encryption on the system.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Supported values:
- 0 - Indicates that the device is compliant.
- Any other value represents a non-compliant device.
Value type is int. Supported operation is Get.
<a href="" id="status-rotaterecoverypasswordsstatus"></a>**Status/RotateRecoveryPasswordsStatus**
This node reports the status of RotateRecoveryPasswords request.
Status code can be one of the following:
- 2 Not started
- 1 - Pending
- 0 - Pass
- Any other code - Failure HRESULT
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is int. Supported operation is Get.
<a href="" id="status-rotaterecoverypasswordsrequestid"></a>**Status/RotateRecoveryPasswordsRequestID**
This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is string. Supported operation is Get.
### SyncML example
The following example is provided to show proper format and should not be taken as a recommendation.
@ -1059,153 +1209,3 @@ The following example is provided to show proper format and should not be taken
</SyncBody>
</SyncML>
```
<a href="" id="configurerecoverypasswordrotation"></a>**ConfigureRecoveryPasswordRotation**
This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is int. Supported operations are Add, Delete, Get, and Replace.
Supported values are:
- 0 Refresh off (default)
- 1 Refresh on for Azure AD-joined devices
- 2 Refresh on for both Azure AD-joined and hybrid-joined devices
<a href="" id="rotaterecoverypasswords"></a>**RotateRecoveryPasswords**
This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed.
Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client will not retry, but if needed, the server can re-issue the execute request.
Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh.
Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices cannot refresh recovery passwords if they are only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account.
Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is int. Supported operation is Execute.
<a href="" id="status"></a>**Status**
Interior node. Supported operation is Get.
<a href="" id="status-deviceencryptionstatus"></a>**Status/DeviceEncryptionStatus**
This node reports compliance state of device encryption on the system.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Supported values:
- 0 - Indicates that the device is compliant.
- Any other value represents a non-compliant device.
Value type is int. Supported operation is Get.
<a href="" id="status-rotaterecoverypasswordsstatus"></a>**Status/RotateRecoveryPasswordsStatus**
This node reports the status of RotateRecoveryPasswords request.
Status code can be one of the following:
- 2 Not started
- 1 - Pending
- 0 - Pass
- Any other code - Failure
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is int. Supported operation is Get.
<a href="" id="status-rotaterecoverypasswordsrequestid"></a>**Status/RotateRecoveryPasswordsRequestID**
This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
Value type is chr. Supported operation is Get.

204
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -20,7 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **BitLock
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version Windows 10, version 1809.
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
@ -46,7 +46,7 @@ The XML below is the current version Windows 10, version 1809.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/3.0/MDM/BitLocker</MIME>
<MIME>com.microsoft/5.0/MDM/BitLocker</MIME>
<DDFName></DDFName>
</DFType>
</DFProperties>
@ -736,6 +736,206 @@ The XML below is the current version Windows 10, version 1809.
</MSFT:SupportedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ConfigureRecoveryPasswordRotation</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description> Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when
Active Directory back up for recovery password is configured to required.
For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives"
For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"
Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>112</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/ConfigureRecoveryPasswordRotation</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
<MSFT:SupportedValues low="0" high="2">
<MSFT:SupportedValue value="0" description="Numeric Recovery Passwords Key rotation OFF"/>
<MSFT:SupportedValue value="1" description="Default Value. Numeric Recovery Passwords Key Rotation ON for AAD joined devices."/>
<MSFT:SupportedValue value="2" description="Numeric Recovery Passwords Key Rotation ON for both AAD and Hybrid devices"/>
</MSFT:SupportedValues>
</DFProperties>
</Node>
<Node>
<NodeName>RotateRecoveryPasswords</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description> Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
The policy only comes into effect when Active Directory backup for a recovery password is configured to "required."
* For OS drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives."
*For fixed drives, enable "Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for fixed data drives."
Client returns status DM_S_ACCEPTED_FOR_PROCESSING to indicate the rotation has started. Server can query status with the following status nodes:
* status\RotateRecoveryPasswordsStatus
* status\RotateRecoveryPasswordsRequestID
Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\
<Exec>
<CmdID>113</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RotateRecoveryPasswords</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;RequestID/&gt;</Data>
</Item>
</Exec>
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DeviceEncryptionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports compliance state of device encryption on the system.
Value '0' means the device is compliant. Any other value represents a non-compliant device.
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RotateRecoveryPasswordsStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description> This Node reports the status of RotateRecoveryPasswords request.
Status code can be one of the following:
NotStarted(2), Pending (1), Pass (0), Other error codes in case of failure
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RotateRecoveryPasswordsRequestID</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description> This Node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus
To ensure the status is correctly matched to the request ID.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```