locked
What are password setting that can set through Windows 8.1 MDM to enforcing password policy on the device RRS feed

  • Question

  • In the Windows 8.1 MDM document there in not mention about what should be SyncML format that should be pushed to device to enforce a  password policy.

    I'm wanted to enforce following password policy of the device through MDM. 

    1. DisallowConvenienceLogon 
    2. AutolockTimeout
    3. MinPasswordComplexCharacters
    4. alphanumeric characters .

    There in no mention on the document about on what should <LocURI> node value to set the password policy.

    Does anyone have an answer please reply.

    Thanks,

    Sebastian

    Eg: of SyncML for EASPolicy,,  I'm expecting something like this should be available to enforce password policy.

    <SyncBody>
    <Exec>
    <CmdID>11</CmdID>
    <Item>
    <Target>
    <LocURI>./cimv2/MDM_EASPolicy/MDM_EASPolicy.
    Key=%221%22/Exec=SetValues
    </LocURI>
    </Target>
    <Meta>
    <Format xmlns="syncml:metinf">chr</Format>
    <Type xmlns="syncml:metinf">text/plain</Type>
    </Meta>
    <Data>NamedValuesList=MinPasswordLength,8;</Data>
    </Item>
    </Exec>
    ...
    </SyncBody>

    • Moved by Marvin_Guo Tuesday, March 4, 2014 8:38 AM MDM
    Monday, March 3, 2014 4:01 AM

Answers

  • Sebastian,

    The MDM_EASPolicy class and properties are already specified in MS-MDM. Please note that, on Windows 8.1, the management service can only set password policy for local accounts or Microsoft accounts. The OMA-DM agent is disabled when a Windows 8.1 device is domain-joined, and as a result the management service cannot set password policy for a domain joined account.

    The DM service targets the remote WMI class MDM_EASPolicy to set password policy. The class is specified in MS-MDM 6.2 MDMSettingsProv MOF File. http://msdn.microsoft.com/en-us/library/dn392112.aspx

    See Section “3.1.5.1.5 Exec” for the SyncML Request Commands. The LocURI of class MDM_EASPolicy is ./cimv2/MDM_EASPolicy

    Note that in the current Windows 8.1 implementation, the convenience login PIN password is not manageable by policy. Once DisallowConvencienceLogon has been set on a device, it cannot be turned off through OMA-DM management. Also, the device management service cannot query the current password policy on the user or device.

    Thanks,

    Edgar

    Friday, March 7, 2014 5:53 AM
    Moderator
  • Sebastian,

    Windows 8.1 does not have an equivalent of “DevicePasswordEnabled". The Windows 8.1 based OMA-DM agent does not allow disabling password policy trough MDM after it has been enforced. Also, the EAS framework does not allow setting a less restrictive policy. 

    The purpose of DisallowConvencienceLogon is to prevent the end user from setting up a convenience login on the device (e.g. PIN password, picture password). Therefore, the OMA-DM enables to disallow convenience login. However, convenience login is not manageable by MDM policy, i.e. OMA-DM does not support re-allowing it at a later time. Once DisallowConvencienceLogon has been set on a device, it cannot be turned off through OMA-DM management.

    Thanks,

    Edgar

    Wednesday, March 12, 2014 9:15 PM
    Moderator
  • Sebastian,

    An example of SyncML for device locking through MDM is as follows.
    <Exec>
      <CmdID>{unique command id in message}</CmdID>
      <Item>
        <Target>
          <LocURI>
    ./cimv2/MDM_Client/MDM_Client.DeviceClientID=%22e49e0231-67bf-4161-b69f-cb5928f63bff %22/Exec=LockWorkstation
          </LocURI>
        </Target>
      </Item>
    </Exec>

    The OMA-DM agent will respond with a Status command which reports status on the lock.

    Recall that the MDM_Client class uses the client’s DeviceID as key.
    The following SyncML example shows how to retrieve the DeviceID using a Get command.

    <Get>
      <CmdID>6</CmdID>
      <Item>
        <Target>
          <LocURI>./cimv2/MDM_Client</LocURI>
        </Target>
      </Item>
    </Get>
    The client will respond to the Get Command on the MDM_Client class with Status and Results commands similar to the following:
    <Status>
      <CmdID>2/CmdID>
      <MsgRef>1</MsgRef>
      <CmdRef>6</CmdRef>
      <Cmd>Get</Cmd>
      <Data>200</Data>
    </Status>
    <Results>
      <CmdID>3</CmdID>
      <MsgRef>1</MsgRef>
      <CmdRef>6</CmdRef>
      <Item>
        <Source>
          <LocURI>./cimv2/MDM_Client</LocURI>
        </Source>
        <Meta>
          <Format xmlns="syncml:metinf">node</Format>
        </Meta>
        <Data>MDM_Client.DeviceID="e49e0231-67bf-4161-b69f-cb5928f63bff"</Data>
      </Item>
    </Results>

    Thanks,

    Edgar

    Friday, March 28, 2014 4:10 AM
    Moderator
  • Sebastian,

    The behavior you are observing is presumably a caveat in Windows 8.1 and the EAS framework. Setting a more restrictive password policy on the device does not immediately enforce the new settings until some specific state events.

    For instance, the user will be asked to change their password the next time they login. Similarly, the AutolockTimeout EAS policy could be applied when the user logs off and logs back on.

    There might be some other settings being applied locally that trigger the state conditions, e.g. it might be one of the power settings that lock the screen.

    Password policy pushed via device management is applied through EAS framework and I do not know the location where each policy is stored on Windows. However, that should not affect the MS-MDM protocol specification.

    Thanks,

    Edgar

    Monday, March 17, 2014 8:57 PM
    Moderator
  • The MDM protocol does not mandate the location where a policy is stored or when the policy will be enforced. Those are implementation details, e.g. whether a locked screen or device restart is needed before the policy takes effect.

    Please find my observations as follows.

    The Windows 8.1 based OMA-DM agent applies password policy through the EAS framework. The EAS framework does not allow setting a less restrictive policy. Once a password policy has been enforced, a less restrictive policy cannot be set.  For example, if the password minimum length is first set to 8, the DM service cannot change the minimum length to 6.

    Some password policy properties set the policy for the device which means all users configured on the device will be subject to the policy. One such property I could think of is the AutolockTimeout property.

    The supported password properties by the MDM_EASPolicy class are defined in MS-MDM: MinPasswordLength, DisallowConvenienceLogon, AutolockTimeout, MaxHistory, Expiration, MaxAttemptsBeforeWipe, MinPasswordComplexCharacters.

    An example of SyncML looks like the following.

    <Exec>

      <CmdID>{unique command id in message}</CmdID>

      <Item>

        <Target>

          <LocURI>

            ./cimv2/MDM_EASPolicy/MDM_EASPolicy.Key=%221%22/Exec=SetValues

          </LocURI>

        </Target>

        <Meta>

          <Format xmlns="syncml:metinf">chr</Format>

          <Type xmlns="syncml:metinf">text/plain</Type>

        </Meta>

        <Data>NamedValuesList=MinPasswordLength,8;AutolockTimeout,5</Data>

      </Item>

    </Exec>

    Regarding tips tracing and viewing logs on Windows MDM agent, we do not have any dedicated logging or tools.

    Finally, I’d like to reiterate that this forum is to handle requests related to Open Specifications documentation issues.

    If you need product support assistance, the best support avenue would be through traditional support.

    a. If you have Premier agreements, you can engage your Microsoft Technical Account Manager (TAM) and get a support case opened.

    b. Otherwise, you possibly have a MSDN subscription that you can use to create support incidents.

    c. Alternatively, you can get assistance through one of the support options at http://support.microsoft.com

    Thanks,

    Edgar
    Friday, March 21, 2014 9:33 PM
    Moderator
  • Sebastian,

    As previously mentioned, the Windows 8.1 based OMA-DM agent applies password policy through the EAS framework. The MDM protocol does not mandate when and how the policy will be enforced. Those are implementation details.

    Another example of this is that a WiFi profile is applied by a separate component, and not by the MDM agent itself. And such implementation detail is outside of the MDM protocol.

    Regards,

    Edgar
    Wednesday, April 9, 2014 9:03 PM
    Moderator

All replies

  • Hi,

    From your description, this thread is related to Windows Protocols forum which is more suitable for it.I help you move to Windows Protocols  forum.

    Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    • Edited by Marvin_Guo Tuesday, March 4, 2014 8:37 AM
    Tuesday, March 4, 2014 8:37 AM
  • Hello Sebastian,
                          Thank you for your inquiry about MS-MDM specification. One of the Open specifications team member will contact you shortly.

     
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications

    Tuesday, March 4, 2014 2:38 PM
    Moderator
  • Sebastian,

    I will research this and follow-up.

    Thanks,

    Edgar

    Tuesday, March 4, 2014 4:12 PM
    Moderator
  • Sebastian,

    The MDM_EASPolicy class and properties are already specified in MS-MDM. Please note that, on Windows 8.1, the management service can only set password policy for local accounts or Microsoft accounts. The OMA-DM agent is disabled when a Windows 8.1 device is domain-joined, and as a result the management service cannot set password policy for a domain joined account.

    The DM service targets the remote WMI class MDM_EASPolicy to set password policy. The class is specified in MS-MDM 6.2 MDMSettingsProv MOF File. http://msdn.microsoft.com/en-us/library/dn392112.aspx

    See Section “3.1.5.1.5 Exec” for the SyncML Request Commands. The LocURI of class MDM_EASPolicy is ./cimv2/MDM_EASPolicy

    Note that in the current Windows 8.1 implementation, the convenience login PIN password is not manageable by policy. Once DisallowConvencienceLogon has been set on a device, it cannot be turned off through OMA-DM management. Also, the device management service cannot query the current password policy on the user or device.

    Thanks,

    Edgar

    Friday, March 7, 2014 5:53 AM
    Moderator
  • Thanks for the reply, Edgar. it was helpful.

    If a password policy is enforced how we can disable it through MDM command in Windows 8.1.

    In Windows phone 8 here is node like this 

    "./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordEnabled"

    Is there a similar Windows 8.1 MDM node where enable and disable to password can be done.

    Also can you give some more detail on  "convenience login" option.

    Thanks,

    Sebastian.


    Monday, March 10, 2014 7:24 AM
  • Sebastian,

    I will look into this and follow-up soon.

    Thanks,

    Edgar

    Monday, March 10, 2014 4:49 PM
    Moderator
  • Sebastian,

    Windows 8.1 does not have an equivalent of “DevicePasswordEnabled". The Windows 8.1 based OMA-DM agent does not allow disabling password policy trough MDM after it has been enforced. Also, the EAS framework does not allow setting a less restrictive policy. 

    The purpose of DisallowConvencienceLogon is to prevent the end user from setting up a convenience login on the device (e.g. PIN password, picture password). Therefore, the OMA-DM enables to disallow convenience login. However, convenience login is not manageable by MDM policy, i.e. OMA-DM does not support re-allowing it at a later time. Once DisallowConvencienceLogon has been set on a device, it cannot be turned off through OMA-DM management.

    Thanks,

    Edgar

    Wednesday, March 12, 2014 9:15 PM
    Moderator
  • Thanks for the answer Edgar. It answered my question.

    When I push a password policy through EAS framework I see that my Password command status are successful ( command status returns value 200). But the device takes more than expected time to enforce the password policy.

    Suppose I set AutolockTimeout = 1 minute, I can see this policy enforced either after after 20 ~ 30 minutes of device inactivity or when Device force to change password or when device once goes and sleep mode and come back. 

    Once policy is enforced I can see the AutolockTimeout happening after every one minute of Inactivity.

    How to I tackle this issue.

    Thanks,

    Sebastian


    Thursday, March 13, 2014 6:29 AM
  • Sebastian,

    I am investigating this and will follow-up soon.

    Thanks,

    Edgar

    Saturday, March 15, 2014 3:26 AM
    Moderator
  • Once the password policy is executed where does Windows 8.1 set the values.

    Which is location I can look in Windows 8.1 to see the values set through password policy.

    Monday, March 17, 2014 1:12 PM
  • Sebastian,

    The behavior you are observing is presumably a caveat in Windows 8.1 and the EAS framework. Setting a more restrictive password policy on the device does not immediately enforce the new settings until some specific state events.

    For instance, the user will be asked to change their password the next time they login. Similarly, the AutolockTimeout EAS policy could be applied when the user logs off and logs back on.

    There might be some other settings being applied locally that trigger the state conditions, e.g. it might be one of the power settings that lock the screen.

    Password policy pushed via device management is applied through EAS framework and I do not know the location where each policy is stored on Windows. However, that should not affect the MS-MDM protocol specification.

    Thanks,

    Edgar

    Monday, March 17, 2014 8:57 PM
    Moderator
  • Hi Edgar,

    Thanks for the support.

    I did try pushing the passcode policy - user log off and log on. But this did not prompt me for changing of password.

    Can you suggest some specific settings / events that can be set so that this event gets triggered immediately and we could verify that paccode change is prompted??

    Also, was going through the regedit where I found a key 'EAS' and few enteries, links provided below:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\EAS\Policies

    KEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\EAS\Policies\ControlledUsers\S-1-5-21-2308715169-2711801018-1661370164-1001

    is there any significance of this key with any policies that we apply (passcode policy).

    Regards,

    Sebastian

    Wednesday, March 19, 2014 9:25 AM
  • Hi Edgar,

    One more query regarding password policy 

    Since password policy uses EAS framework , I ran WMI explorer in Windows 8.1 machine to view the MDM_EASPolicy class instance after I pushed the password policy. I could not see an instance of class running or values has been set in for class property.

    Where as when a enroll and device I can see an instance MDM_Client running in Windows 8.1 device with parameters I has send.

    Here are name space where I looked into using WMI explorer.

    ./cimv2/MDM/MDM_EASPolicy
    ./cimv2/MDM/MDM_Client

    Is this the reason for the password policy not getting enforced on the device ? Please check with your technical team to see there is something I need to correct while sending SyncMl to device.


    - <SyncBody>
    - <Exec>
      <CmdID>2</CmdID>
    - <Item>
    - <Meta>
      <Format xmlns="syncml:metinf">chr</Format>
      <Type xmlns="syncml:metinf">test/plain</Type>
      </Meta>
    - <Target>
      <LocURI>./cimv2/MDM_EASPolicy/MDM_EASPolicy.Key="1"/Exec=SetValues</LocURI>
      </Target>
      <Data>NamedValuesList=MinPasswordLength,8;AutolockTimeout,30;MaxHistory,24;Expiration,0;MaxAttemptsBeforeWipe,6;MinPasswordComplexCharacters,1</Data>
      </Item>
      </Exec>
      <Final />
      </SyncBody>
      </SyncML>

    Thanks,

    Sebastian.



    Thursday, March 20, 2014 4:18 AM
  • HI Edger,

         We are following MS-MDM document and it has no information about any the stuff you have mentioned above. We would like to know what all features are developed in DM  client of Windows 8.1 and how do they behave? Can you please share some document which will help us in understanding these or redirect us to right contact?

    Regd question above, As you have mentioned password policy will be enforced on some specific events? Can you please provide some exact events which will trigger this.

    Also it will be helpful if you can provide some tips for tracing or view logs from MDM client.

    Thanks

    Keshav

    Thursday, March 20, 2014 9:48 AM
  • Hi,

    I see these posts and will respond soon.

    Thanks,

    Edgar


    Thursday, March 20, 2014 10:00 PM
    Moderator
  • The MDM protocol does not mandate the location where a policy is stored or when the policy will be enforced. Those are implementation details, e.g. whether a locked screen or device restart is needed before the policy takes effect.

    Please find my observations as follows.

    The Windows 8.1 based OMA-DM agent applies password policy through the EAS framework. The EAS framework does not allow setting a less restrictive policy. Once a password policy has been enforced, a less restrictive policy cannot be set.  For example, if the password minimum length is first set to 8, the DM service cannot change the minimum length to 6.

    Some password policy properties set the policy for the device which means all users configured on the device will be subject to the policy. One such property I could think of is the AutolockTimeout property.

    The supported password properties by the MDM_EASPolicy class are defined in MS-MDM: MinPasswordLength, DisallowConvenienceLogon, AutolockTimeout, MaxHistory, Expiration, MaxAttemptsBeforeWipe, MinPasswordComplexCharacters.

    An example of SyncML looks like the following.

    <Exec>

      <CmdID>{unique command id in message}</CmdID>

      <Item>

        <Target>

          <LocURI>

            ./cimv2/MDM_EASPolicy/MDM_EASPolicy.Key=%221%22/Exec=SetValues

          </LocURI>

        </Target>

        <Meta>

          <Format xmlns="syncml:metinf">chr</Format>

          <Type xmlns="syncml:metinf">text/plain</Type>

        </Meta>

        <Data>NamedValuesList=MinPasswordLength,8;AutolockTimeout,5</Data>

      </Item>

    </Exec>

    Regarding tips tracing and viewing logs on Windows MDM agent, we do not have any dedicated logging or tools.

    Finally, I’d like to reiterate that this forum is to handle requests related to Open Specifications documentation issues.

    If you need product support assistance, the best support avenue would be through traditional support.

    a. If you have Premier agreements, you can engage your Microsoft Technical Account Manager (TAM) and get a support case opened.

    b. Otherwise, you possibly have a MSDN subscription that you can use to create support incidents.

    c. Alternatively, you can get assistance through one of the support options at http://support.microsoft.com

    Thanks,

    Edgar
    Friday, March 21, 2014 9:33 PM
    Moderator
  • Hi Edgar,

    I have another question regarding LockWorkstation () method of class MDM_Client. I had send SyncML with execute command with no data parameters, as mentioned in MS-MDM document. The Windows 8.1 system/device screen did not get locked.

    Could you give a sample SyncML with that perform execute command for LockWorkstation () method.

    Thanks,

    Sebastian.

    Wednesday, March 26, 2014 6:10 PM
  • Hi Sebastian,

    Thank you for this new question. I will look into this and follow-up.

    Thanks,

    Edgar

    Wednesday, March 26, 2014 6:44 PM
    Moderator
  • Sebastian,

    An example of SyncML for device locking through MDM is as follows.
    <Exec>
      <CmdID>{unique command id in message}</CmdID>
      <Item>
        <Target>
          <LocURI>
    ./cimv2/MDM_Client/MDM_Client.DeviceClientID=%22e49e0231-67bf-4161-b69f-cb5928f63bff %22/Exec=LockWorkstation
          </LocURI>
        </Target>
      </Item>
    </Exec>

    The OMA-DM agent will respond with a Status command which reports status on the lock.

    Recall that the MDM_Client class uses the client’s DeviceID as key.
    The following SyncML example shows how to retrieve the DeviceID using a Get command.

    <Get>
      <CmdID>6</CmdID>
      <Item>
        <Target>
          <LocURI>./cimv2/MDM_Client</LocURI>
        </Target>
      </Item>
    </Get>
    The client will respond to the Get Command on the MDM_Client class with Status and Results commands similar to the following:
    <Status>
      <CmdID>2/CmdID>
      <MsgRef>1</MsgRef>
      <CmdRef>6</CmdRef>
      <Cmd>Get</Cmd>
      <Data>200</Data>
    </Status>
    <Results>
      <CmdID>3</CmdID>
      <MsgRef>1</MsgRef>
      <CmdRef>6</CmdRef>
      <Item>
        <Source>
          <LocURI>./cimv2/MDM_Client</LocURI>
        </Source>
        <Meta>
          <Format xmlns="syncml:metinf">node</Format>
        </Meta>
        <Data>MDM_Client.DeviceID="e49e0231-67bf-4161-b69f-cb5928f63bff"</Data>
      </Item>
    </Results>

    Thanks,

    Edgar

    Friday, March 28, 2014 4:10 AM
    Moderator
  • Hi Edgar,

    Regarding LockWorkStation command; I'm forming the similar SyncML to as your's example, and sending it to device.

    The status of Exec command shows 200. But I don't see the device getting locked immediately.  Could please have a further look on this and let me know the behavior of LockWorkStation  command.

    Thanks,
    Sebastian.
    Friday, March 28, 2014 6:46 AM
  • Thanks Edgar,

    The syncML command for LockWorkStation worked!! :) The SyncML I used is similar to example you had given me.

    It's was some minor confusion while execution from my end.

    Thanks a lot for you support.

    Thanks,

    Sebastian.

    Friday, March 28, 2014 9:45 AM
  • Hi Edgar,

    Regarding password policy, Is there a reason for the delayed execution of password policy(i.e password policy is not enforced immediately on the device).

    Since password policy uses EAS framework , I ran WMI explorer in Windows 8.1 machine to view the MDM_EASPolicy class instance after I pushed the password policy. I could not see an instance of class running or values has been set in for class property.

    Where as when a enroll and device in WMI explorer I can see an instance MDM_Client running in Windows 8.1 device with parameters I has send.

    Here are name space where I looked into using WMI explorer.

    ./cimv2/MDM/MDM_EASPolicy
    ./cimv2/MDM/MDM_Client

    Is this the reason for the password policy not getting enforced on the device ? Please check with your technical team to see there is something I need to correct while sending SyncMl to device.

    - <SyncBody>
    -
    - <Exec>
      <CmdID>2</CmdID>
    - <Item>
    - <Meta>
      <Format xmlns="syncml:metinf">chr</Format>
      <Type xmlns="syncml:metinf">test/plain</Type>
      </Meta>
    - <Target>
      <LocURI>./cimv2/MDM_EASPolicy/MDM_EASPolicy.Key="1"/Exec=SetValues</LocURI>
      </Target>
     <Data>NamedValuesList=MinPasswordLength,8;AutolockTimeout,30;MaxHistory,24;Expiration,0;MaxAttemptsBeforeWipe,6;MinPasswordComplexCharacters,1</Data>
      </Item>
      </Exec>
      <Final />
      </SyncBody>
      </SyncML>

    Thanks,

    Sebastian.

    Tuesday, April 8, 2014 9:40 AM
  • Hi Sebastian,

    Thank you for this new question. I will review this and follow-up.

    Thanks,

    Edgar

    Tuesday, April 8, 2014 3:46 PM
    Moderator
  • Sebastian,

    As previously mentioned, the Windows 8.1 based OMA-DM agent applies password policy through the EAS framework. The MDM protocol does not mandate when and how the policy will be enforced. Those are implementation details.

    Another example of this is that a WiFi profile is applied by a separate component, and not by the MDM agent itself. And such implementation detail is outside of the MDM protocol.

    Regards,

    Edgar
    Wednesday, April 9, 2014 9:03 PM
    Moderator