{"id":1431,"date":"2023-03-03T14:29:15","date_gmt":"2023-03-03T14:29:15","guid":{"rendered":"https:\/\/blog.n-dol.org\/?p=1431"},"modified":"2023-03-04T19:46:12","modified_gmt":"2023-03-04T19:46:12","slug":"dynamic-management-csp","status":"publish","type":"post","link":"https:\/\/blog.n-dol.org\/2023\/03\/03\/dynamic-management-csp\/","title":{"rendered":"Dynamic Management CSP"},"content":{"rendered":"\n

Dynamic Management is a CSP available in Windows 10 1703 onward. It give the capability to modify the state of a device based on a context.<\/p>\n\n\n\n

Windows 10 allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can\u2019t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.<\/p>\n\n\n\n

Why this page<\/h3>\n\n\n\n

The current documentation of the CSP is fairly incomplete and the example while accurate do not work out of the box. There is no indication on what is the level of context and how the context rules are build together. Also there is no indication on which settings can be applied or not.<\/p>\n\n\n\n

CSP description<\/h2>\n\n\n\n

While the main documentation cover some of it, I will list all the node with more explanation and example on how this could leverage in UEM. Main documentation: https:\/\/learn.microsoft.com\/en-us\/windows\/client-management\/mdm\/dynamicmanagement-csp<\/a><\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

NotificationsEnabled<\/h2>\n\n\n\n

When at True, this will display a notification to the end user that the device context changed. The end user will see this notification.<\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

ActiveList<\/h2>\n\n\n\n

The management server can interrogate to know which context are currently triggered\/active. Useful in case of server notification to check whether the device still have this context, and if yes then the admin may have configured a rules to trigger some actions against it ( like our compliance engine )<\/p>\n\n\n\n

Contexts<\/h2>\n\n\n\n

Give the complete list of all the contexts currently registered on the device.<\/p>\n\n\n\n

ContextID<\/h3>\n\n\n\n

Name of the context, it have to be unique on the device, there is no limit on the number of context per device as far as I can tell.<\/p>\n\n\n\n

SignalDefinition<\/h3>\n\n\n\n

XML defining the context. Need to be escaped or in CDATA. It “signal” the CSP to apply the SettingsPack<\/strong>. The signal are not documented and there is 2 example on the CSP page which give pointer but nothing giving the real potential. Read SignalDefinition Node<\/strong> section for detailed information.<\/p>\n\n\n\n

SettingsPack<\/h3>\n\n\n\n

XML containing the settings to apply for the particular context when it becomes active. When the context become inactive it restore the previous state. Enhance the fact that there is no remove profile.<\/p>\n\n\n\n

The SettingsPack are filtered, not every command are available, the whitelist is protected from modification even for SYSTEM and stored in SOFTWARE\\Microsoft\\Windows\\DynamicManagement\\Policy.<\/p>\n\n\n\n

On 22H2 and insiders, the following list :<\/p>\n\n\n\n