Configure Windows GPO

Ellen Thoren - Versasec
Ellen Thoren - Versasec
  • Updated

Introduction

From version 5.1 of vSEC:CMS it is possible to use Windows GPO to configure specific settings that can be used by client-side components. Currently the following client components can be configured through Windows GPO:

  • vSEC:CMS User Application 
  • vSEC:CMS Remote Security Device Management (RSDM)
Important
It is expected that anyone using Windows GPOs is experienced in this area as this article is not a manual for issuing Windows GPOs.
Important
If Windows GPOs are used then any registry keys that may have been configured on the client side previously would not be used, i.e. GPO configuration will take precedence.
Note
The GPO ADMX files will be available on the vSEC:CMS server. If you installed the vSEC:CMS into the default location then for vSEC:CMS User Application the ADMX file will be found here C:\Program Files\Versasec\vSEC_CMS S-Series\Group Policies\en-US for 64-bit version and for 32-bit version here C:\Program Files (x86)\Versasec\vSEC_CMS S-Series\Group Policies\en-US. For RSDM the ADMX file will be found here C:\Program Files\Versasec\vSEC_CMS S-Series\Group Policies for 64-bit version and for 32-bit version here C:\Program Files (x86)\Versasec\vSEC_CMS S-Series\Group Policies.
Note
For information purposes if the GPO settings are applied, they will be stored in the registry of the client in [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Versatile Security] and [HKEY_CURRENT_USER\SOFTWARE\Policies\Versatile Security].
Note
The very latest Windows version / patches should be installed on the domain controller where the GPOs will be configured from. 

Configure GPO for vSEC:CMS User Application

From Windows Group Policy Management Editor you can see what settings that can be configured through GPO. Under Computer Configuration you will see options:

Untitled.png

And under User Configuration you will see options:

Configure GPO for vSEC:CMS User Application under Computer Configuration

From here a number of configuration options are available. We will describe each one in this section.

Ask for change PIN before operation is performed

From version 6.10 this policy is available. This policy will force the user to change their PIN before they are allowed to perform an operation such as certificate reissuance or card update. The credential PIN needs to be configured to be managed by vSEC:CMS in this case.

Force USS be online when doing PIN operations

From version 6.10 this policy is available. This policy will make sure that the vSEC:CMS User application is online, i.e. the application is able to communicate to the back-end vSEC:CMS server, before allowing a user to change or unblock their PIN. This will ensure proper trace reporting to the backend when these type of operations are performed from clients. The options are:

  • Force USS online when change PIN: Change PIN will only be allowed when the vSEC:CMS User application is online.
  • Force USS online when unblock PIN: Unblock PIN will only be allowed when the vSEC:CMS User application is online.

Card Template Tag Filtering

This policy is a list of tags that can be used to filter card templates shown for selection at credential issuances. If there are one or more tags matching the tags configured in the vSEC:CMS card template, the template is available for issuance.

Enter the tag(s) line by line into the field Card Template Tag Filtering and Apply. Then the card template(s) matching this will be presented to the users which this GPO is applicable to.

Note
Regular expressions can be used, for example if you wanted to not include all templates associated with tags Test & Demo then enter the regular expression ^((?!Test|Demo).)*$

Untitled.png

Check for Card Update on Insert

With this policy it is possible to configure the behaviour of the vSEC:CMS User Application application when a credential is connected to the client machine. The vSEC:CMS User Application needs to be running in system tray mode for this.

For PIN change the options are:

  • No check: No check will be performed when the credential is attached to the client machine.
  • Notify balloon: When a credential is attached to the client the vSEC:CMS User Application will check if the credential PIN requires its PIN to be changed. If so a balloon type dialog will appear for 10 seconds informing the user that they need to change the PIN.
    Note
    vSEC:CMS uses the Windows balloon mechanism for balloon notifications. If this is disabled in Windows (maybe via GPO) then you would not get any balloon notifications. You can check this from your GPO configuration if Turn off all balloon notifications is enabled.
  • Notify popup: When a credential is attached to the client the vSEC:CMS User Application will check if the credential PIN requires its PIN to be changed. If so a popup type dialog will appear informing the user that they need to change the PIN. The dialog will remain open until the user acknowledges the dialog.
  • Notify popup (always on top): When a credential is attached to the client the vSEC:CMS User Application will check if the credential PIN requires its PIN to be changed. If so a popup type dialog will appear which will be always on-top informing the user that they need to change the PIN. The dialog will remain open until the user acknowledges the dialog.

For PIN unblock the options are:

  • No check: No check will be performed when the credential is attached to the client machine.
  • Notify balloon: When a credential is attached to the client the vSEC:CMS User Application will check if the credential PIN is blocked. If so a balloon type dialog will appear for 10 seconds informing the user that they need to unblock the PIN.
    Note
    vSEC:CMS uses the Windows balloon mechanism for balloon notifications. If this is disabled in Windows (maybe via GPO) then you would not get any balloon notifications. You can check this from your GPO configuration if Turn off all balloon notifications is enabled.
  • Notify popup: When a credential is attached to the client the vSEC:CMS User Application will check if the credential PIN is blocked. If so a popup type dialog will appear informing the user that they need to unblock the PIN. The dialog will remain open until the user acknowledges the dialog.
  • Notify popup (always on top): When a credential is attached to the client the vSEC:CMS User Application will check if the credential PIN is blocked. If so a popup type dialog will appear which will be always on-top informing the user that they need to unblock the PIN. The dialog will remain open until the user acknowledges the dialog.

For Card update the options are:

  • No check: No check will be performed when the credential is attached to the client machine.
  • Notify balloon: When a credential is attached to the client the vSEC:CMS User Application will check if the credential needs to be updated. If so a balloon type dialog will appear for 10 seconds informing the user that they need to update their credential.
  • Notify popup: When a credential is attached to the client the vSEC:CMS User Application will check if the credential needs to be updated. If so a popup type dialog will appear informing the user that they need to update their credential. The dialog will remain open until the user acknowledges the dialog.
  • Notify popup (always on top): When a credential is attached to the client the vSEC:CMS User Application will check if the credential needs to be updated. If so a popup type dialog will appear which will be always on-top informing the user that they need to update their credential. The dialog will remain open until the user acknowledges the dialog.

Credential Provider - Change PIN Label

This policy setting configures the title for the credential provider when you hit Ctrl + Alt + Del from a logged on Windows session and select the Change a password option and select your attached credential. The label highlighted below will be changed in this case.

Untitled.png

It is possible to set a title in english, french or german and then depending on your local regional settings different titles can be shown.

Credential Provider Issue - Configure Icon

This policy setting configures the icon for the credential provider issuance option when you hit Ctrl + Alt + Del from a Windows session. Enter the icon path that you want to use. The icon needs to be available on the client host for the path provided.

The icon should be 192x192 pixels and scalable.

Untitled.png

Untitled.png

Credential Provider Logon - Configure Icon

This policy setting configures the icon for the credential provider logon option when you hit Ctrl + Alt + Del from a Windows session. Enter the icon path that you want to use. The icon needs to be available on the client host for the path provided. There are 2 options here, one icon that can be used to show physical smart cards connected to the host and one icon that can be used to show virtual smart cards connected to the host.

The icons should be 192x192 pixels and scalable.

Untitled.png

Untitled.png

Credential Provider - Credential Issuance Title

This policy setting configures the title for the credential provider issuance as seen at the Windows logon screen.

Untitled.png

It is possible to set a title in english, french or german and then depending on your local regional settings different titles can be shown.

Credential Provider - Unblock PIN Label

This policy setting configures the title for the credential provider when you hit Ctrl + Alt + Del to log into your Windows session. Select the reader that your credential is attached to and you will see an unblock PIN label.

Untitled.png

It is possible to set a title in english, french or german and then depending on your local regional settings different titles can be shown.

Disable Credential Provider

With this policy it is possible to disable the vSEC:CMS Credential Provider (CP). Three options are available if this is enabled:

  • Both: If this is selected then the issuance and logon options will not be available from the CP;
  • Issuance: If this is enabled then only the logon options will not be available from the CP;
  • Logon: If this is enabled then only the issuance option will not be available from the CP.

PIN change notification message

With this policy it is possible to configure the notification message content that is shown in the vSEC:CMS User Application dialog when a credential, that supports PIN change flag, is attached to a client where this flag is set. Depending on what was configured for the GPO Check for card update on insert the user will be presented with options to change the PIN. The settings configured here will only be applicable when the vSEC:CMS User Application is offline and is running in system tray mode.

Untitled.png

From the Message option you can select either HTML, Predefined or Text. If Predefined is selected then the hard coded content in the vSEC:CMS User Application will be used. Otherwise you can configure specific content if HTML or Text is selected. Supported languages are English, German and French.

Additionally, vSEC:CMS variables can be used in message content if required. For example, if you used text then you could have below content configured in the Information message:

Your smart card needs your attention. The PIN needs to be changed.

Card Serial Number: ${Csn}

If HTML is used a strict structure needs to be followed as described below. The structure defined here is applicable to all HTML content defined below.

The HTML should be constructed as below:

<html>
<head><meta><style type="text/css">
body {border:0;margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px;padding: 0;background-color:#ffffff;font-family: Microsoft, sans-serif;font-size: 8px;text-align: left;}
pre {border:0;margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px;padding: 0;background-color:#ffffff;font-family: Microsoft, sans-serif;font-size: 8px;text-align: left;}
table {border: 0;padding: 1px;}
td {padding: 0 0 0 0;font-family: Microsoft, sans-serif;font-size: 12px;}
</style></meta></head>
<body>
<table>
<tbody>
<tr><td>
<!-- ADD MY CONTENT HERE -->
</td></tr>
<tr><td><div id="docEnd"/></td></tr>
</tbody>
</table>
</body>
</html>

You should enter the content you wish to set in the section ADD MY CONTENT HERE. For example, if the content should say: My PIN should be changed then the HTML would look like below:

<html>
<head><meta><style type="text/css">
body {border:0;margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px;padding: 0;background-color:#ffffff;font-family: Microsoft, sans-serif;font-size: 8px;text-align: left;}
pre {border:0;margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px;padding: 0;background-color:#ffffff;font-family: Microsoft, sans-serif;font-size: 8px;text-align: left;}
table {border: 0;padding: 1px;}
td {padding: 0 0 0 0;font-family: Microsoft, sans-serif;font-size: 12px;}
</style></meta></head>
<body>
<table>
<tbody>
<tr><td>
My PIN should be changed
</td></tr>
<tr><td><div id="docEnd"/></td></tr>
</tbody>
</table>
</body>
</html>

Information message

In this section it is possible to configure the actual message content presented in the dialog, depending on what was configured for the GPO Check for card update on insert.

Fail message

In this section it is possible to configure the actual message content presented in the dialog when an error occurs during the PIN change.

Message for Credential Provider

In this section it is possible to configure the content that will be shown in the dialogs when attempting to perform a PIN change via the CP.

PIN unblock notification message

With this policy it is possible to configure the content that is displayed in the vSEC:CMS User Application dialogs when performing PIN unblock.

Untitled.png

From Message option select from the available list. This is a global setting. It is possible to select Predefined, which is hard coded content in the application, or HTML or plain Text format. If HTML or Text are selected then you can configure specific content that will then be shown in the dialogs. The supported languages are English, German or French.

If HTML is used a strict structure needs to be followed as described below. The structure defined here is applicable to all HTML content defined below.

The HTML should be constructed as below:

<html>
<head><meta><style type="text/css">
body {border:0;margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px;padding: 0;background-color:#ffffff;font-family: Microsoft, sans-serif;font-size: 8px;text-align: left;}
pre {border:0;margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px;padding: 0;background-color:#ffffff;font-family: Microsoft, sans-serif;font-size: 8px;text-align: left;}
table {border: 0;padding: 1px;}
td {padding: 0 0 0 0;font-family: Microsoft, sans-serif;font-size: 12px;}
</style></meta></head>
<body>
<table>
<tbody>
<tr><td>
<!-- ADD MY CONTENT HERE -->
</td></tr>
<tr><td><div id="docEnd"/></td></tr>
</tbody>
</table>
</body>
</html>

You should enter the content you wish to set in the section ADD MY CONTENT HERE. For example, if the content should say: My PIN should be unblocked then the HTML would look like below:

<html>
<head><meta><style type="text/css">
body {border:0;margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px;padding: 0;background-color:#ffffff;font-family: Microsoft, sans-serif;font-size: 8px;text-align: left;}
pre {border:0;margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px;padding: 0;background-color:#ffffff;font-family: Microsoft, sans-serif;font-size: 8px;text-align: left;}
table {border: 0;padding: 1px;}
td {padding: 0 0 0 0;font-family: Microsoft, sans-serif;font-size: 12px;}
</style></meta></head>
<body>
<table>
<tbody>
<tr><td>
My PIN should be unblocked
</td></tr>
<tr><td><div id="docEnd"/></td></tr>
</tbody>
</table>
</body>
</html>

Information message

In this section it is possible to configure the actual message content presented in the dialog, depending on what was configured for the GPO Check for card update on insert.

Fail message

In this section it is possible to configure the actual message content presented in the dialog when an error occurs during the PIN unblock.

Message for Credential Provider

From here it is possible to configure content that will be shown in the dialogs when used via the Windows Credential Provider (CP).

Online Mode:

This is the dialog shown when attempting a PIN unblock via the CP and the client machine is online.

Offline Mode, Challenge Response supported:

This is the dialog shown when attempting a PIN unblock via the CP and the client machine is offline.

Offline Mode, Challenge Response supported, Qr-code enabled and URL is shown:

This is the dialog shown when attempting a PIN unblock via the CP and the client machine is offline and the QR code functionality is enabled and URL is shown.

Offline Mode, Challenge Response supported, Qr-code enabled and Qr-code is shown (URL is hidden):

This is the dialog shown when attempting a PIN unblock via the CP and the client machine is offline and the QR code functionality is enabled and URL is not shown.

PIN unblock with QR-Code

With this policy it is possible to configure the message content that is displayed beside the Show URL button when QR code is enabled in the vSEC:CMS User Application when performing a PIN unblock via the CP and the client is offline.

From QR-Code Type select one of the available supported code types.

In Unblock PIN URL field you configure the URL which will be shown to the user that needs to be entered manually into a browser to connect to a PIN unblock portal. It is possible to pass in vSEC:CMS variables in the URL. Currently, 2 variables are supported. These are {csn} and {challenge}. For example, you could have a URL like this:

https://unblock.portal.com/unblock?csn={csn}&challenge={challenge}

In QR-Code Data field you configure the data which will be encoded into QR-Code. It is possible to pass in vSEC:CMS variables that can be encoded into the QR code. Currently, 2 variables are supported. These are {csn} and {challenge}. For example:

otpauth://unblock.portal.com/unblock?csn={csn}&challenge={challenge}

PIN unblock QR-Code size

With this policy it is possible to configure the size in pixels of the QR code that is displayed. If this is not enabled the default size is 100 pixels. Select the Enabled option and adjust the size in pixels that is appropriate for your environment.

Help URL's

This policy setting configures URLs which will be opened when clicking the Help menu. URL could be any protocol supported by Windows systems where the vSEC:CMS User Application console is running on.
For example: http://xxx.yyy or file:// </>

Configure background image

With this policy setting it is possible to configure customizable background and home tab images. The images can be of .png or .svg format.

Untitled.png

The following options are available:

  • Background image position: You can configure the background image position from here. 
  • Home image position: You can configure an additional image file position that is only available, by default, from the Home tab. This might typically be a company logo.
  • Background image path: Here you configure the actual file location on the client for the background image file. 
  • Home image path: Here you configure the actual file location on the client for the home image file.
  • Enable the Show home image in another view (beside home view) if it is required to show the Home image on each tab of the application.
Note
The pixels for the size of the background image need to be at minimum the same as the display resolution of the client host. For example, if your clients run with a display resolution of 2560x1440, then the background image should have at minimum this size set for the pixel size of the PNG image used.
Also, if the Home image is too large it will override other fields and labels in some tabs.

Enable challenge-response for offline PIN unblock for PIV token

If this policy is enabled it will be possible to use challenge-response mechanism to perform PIN unblock for supported PIV credentials.

CMS Server Protocol

This policy setting configures which protocol should be used when communicating with vSEC:CMS server. The options are:

  • Prefer Soap: vSEC:CMS User Application will check if the server is available via SOAP protocol. If not, it will try gRPC.
  • Prefer gRPC: vSEC:CMS User Application will check if the server is available via gRPC protocol. If not, it will try SOAP.
  • Force Soap: vSEC:CMS User Application will check if the server is available via SOAP protocol. If not, it will fail.
  • Force gRPC: vSEC:CMS User Application will check if the server is available via gRPC protocol. If not, it will fail.

Server URL (gRPC)

This policy setting configures the URL of the gRPC vSEC:CMS User Application server-side. Enter the full URL in the Server URL field.

For example: http://my-server:port

Server URL (SOAP)

This policy setting configures the URL of the SOAP vSEC:CMS User Application server-side. Enter the full URL in the Server URL field.

For example: http://my-server:port/uss

Configure Smart Card Access

This policy setting configures the credential access type that will be used globally for the vSEC:CMS User Application. The settings are:

  • Force minidriver usage: The vSEC:CMS User Application will only use the credential minidriver installed on the user's computer if this option is configured. If there is no minidriver available then no operations will be possible with the credential.
  • Force native access: The vSEC:CMS User Application will only use the native access to the credential if this option is configured. If native access to the credential is not supported then no operations will be possible with the credential.
  • Use minidriver if possible: The vSEC:CMS User Application will attempt to use the credential minidriver installed on the user's computer if this option is configured. If there is no minidriver installed then the vSEC:CMS User Application will attempt to use native access. If native access is not supported for the credential then no operations will be possible with the credential.
  • Use native access if possible: The vSEC:CMS User Application will attempt to use the native access to the credential if this option is configured. If native access to the credential is not supported then the vSEC:CMS User Application will attempt to use the minidriver interface. If there is no minidriver available then no operations will be possible with the credential.

Configure Connection Behavior in System Tray Mode

This policy allows you to configure the behavior around how the clients will connect when running in system tray mode. In large deployments, when users log on at the same time, a lot of traffic will be sent to the server-side which can impact system performance. From 6.10 version this policy can be used to randomize when the clients will connect to the backend to check if any updates are awaiting for them on the server. The following options are available:

  • Connect at application start (no delay): If this is set then the vSEC:CMS User application will connect to the backend immediately once the user logs on.
  • Connect when the user is starting to use the application: If this is set then the vSEC:CMS User application will connect only when the vSEC:CMS User application is opened from the system tray icon Show User Application.
  • Connect at any (random) time within 30 minutes: If this is set then the vSEC:CMS User application will connect to the backend randomly within 30 minutes from when the user logs onto their workstation.
  • Connect at any (random) time within 1h: If this is set then the vSEC:CMS User application will connect to the backend randomly within 1 hour from when the user logs onto their workstation.
  • Connect at any (random) time within 2h: If this is set then the vSEC:CMS User application will connect to the backend randomly within 2 hours from when the user logs onto their workstation.

Configure GPO for vSEC:CMS User Application under User Configuration

Card Template Tag Filtering

This policy is a list of tags that can be used to filter card templates shown for selection at credential issuances. If there are one or more tags matching the tags configured in the vSEC:CMS card template, the template is available for issuance.

Enter the tag(s) line by line into the field Card Template Tag Filtering and Apply. Then the card template(s) matching this will be presented to the users which this GPO is applicable to.

Note
Regular expressions can be used, for example if you wanted to not include all templates associated with tags Test & Demo then enter the regular expression ^((?!Test|Demo).)*$

Untitled.png

Configure User Self-Service permissions

This policy setting changes the permissions for the User Self-Service Console.

Note
This GPO policy will be configured under the User Configuration from the Windows Group policy Management Editor console.

If you enable this policy setting, additional options are available to fine-tune your selection.

If you disable or do not configure this policy setting, the default behaviour for the vSEC:CMS User Application will apply.

The options available are: 

Action

Description

Disallow “WHfB”

This tab is available from the vSEC:CMS User Application where users can view their WHfB container credentials.

Disallow “PIN – Change PIN”

This is an option from the PIN tab where it is possible to change the PIN for the attached credential.

Disallow “PIN – Unblock (Crypto)”

This is an option from the PIN tab where unblocking the PIN for the attached credential online or offline is possible.

Disallow “PIN – Unblock (PUC)”

This is an option from the PIN tab where it is possible to unblock the PIN for the attached credential using PUC code.

Disallow “Certificates”

This is the Certificates tab available from the vSEC:CMS User Application window which will list all certificates on the user’s credential.

Disallow “Credential”

This is the Credential tab that is available from the vSEC:CMS User Application window where you can perform operations on credentials.

Disallow “Credential – Approval”

This is an option from the Credential tab where, if configured, an approval option in the form of an approval code can be provided in order for the user to authenticate before they are allowed to issue a credential.

Disallow “Credential – Retire”

This is an option from the Credential tab where, if configured, the user can retire the attached credential.

Disallow “Credential – Issue”

This is an option from the Credential tab where, if configured, the user can issue the attached credential.

Disallow “Certificates - Delete”

This is the delete button available from the Certificates tab. If this button is available a user can select a certificate on the credential and delete it.

Disallow “Certificates – Import”

This is the import button available from the Certificates tab. If this button is available a user can import a certificate onto the credential.

Disallow “Certificates – Default”

This is the default button available from the Certificates tab. If this button is available a user can select a certificate on the credential and make it the default certificate on the credential.

Disallow “Certificates – PIN”

This is the PIN button available from the Certificates tab. If this button is available a user can click the button and the application will go to the My PIN page.

Disallow “Certificates – Reissue”

This button will allow for the reissue of the certificate selected that was issued on the credential during the issuance.

Disallow “Certificates – Recover”

This button will allow for the recovery of a certificate that has been configured for key recovery in the credential template.

Disallow “Check for New Version”

By default, the vSEC:CMS User Application will be configured to not check for product updates. If this feature is enabled then the application will check the Versasec product updates web service and prompt the user to update their product version.

Disallow “Key Recovery”

This functionality will allow a certificate/key to be recovered to the credential if this is configured on the credential template.

Disallow “Credential Updates”

This page will show pending credential update operations that should be performed on the credential. These would typically be certificate renewal when a certificate is due to expire.

Disallow "WhfB - Create PIN"

If you are not using vSEC:CMS to manage your WhfB credentials then disable this setting as PIN management can only be done when vSEC:CMS is managing the WhfB credential.

Disallow "WhfB - Change PIN"

If you are not using vSEC:CMS to manage your WhfB credentials then disable this setting as PIN management can only be done when vSEC:CMS is managing the WhfB credential.

Disallow "WhfB - Retire PIN"

If you are not using vSEC:CMS to manage your WhfB credentials then disable this setting as PIN management can only be done when vSEC:CMS is managing the WhfB credential.

Disallow "WhfB - Delete PIN"

If you are not using vSEC:CMS to manage your WhfB credentials then disable this setting as PIN management can only be done when vSEC:CMS is managing the WhfB credential.

Disallow "Credential - Request Entra ID TAP code"

If you can using vSEC:CMS to auto generate a TAP code for Entra ID then this can be generated from the user application if configured.

Disallow "Credential - Information - Custom Data On Card - Details  "

If you have configured vSEC:CMS to write custom data to a credential then you can view the custom data from the user application. 

Disallow "FIDO2"

If vSEC:CMS is configured to manage FIDO2 credentials then enable this setting to allow FIDO2 management operations to be performed from the user application.

Disallow "FIDO2 - Manage Bio Enrollments"

If you are using a credential that supports FIDO2 along with Bio enrolment support then enable this setting to allow the user to enrol their fingerprints from the user application.

Configure GPO for RSDM

From Windows Group Policy Management Editor you can see what settings that can be configured through GPO. Under Computer Configuration you will have the following options.

Configure GPO for RSDM under Computer Configuration

From here a number of configuration options are available. We will describe each one in this section.

Enable user enrollment

This policy setting enables the RSDM service whereby the RSDM service will check on the server side if the logged-on Windows user is enabled/allowed for user enrollment. If the user is enabled for enrollment then the RSDM service will inform the vSEC:CMS User Application to launch the issuance workflow.

Configure Windows session status change events

This policy setting configures which Windows session notification event(s) can trigger the user enrollment process.

Note
It will be required that Enable user enrollment is enabled for this policy setting to be effective.

The value entered into the EventNumber should be an aggregate of the following:

WTS_CONSOLE_CONNECT (1)

The session was connected to the console terminal or RemoteFX session.

WTS_REMOTE_CONNECT (4)

The session was connected to the remote terminal.

WTS_SESSION_LOGON (16)

A user has logged on to the session.

WTS_SESSION_UNLOCK (128)

The session has been unlocked.

For example, if it is required that the enrollment process should be triggered when a user logs onto their workstation or a user unlocks their workstation then the value entered into EventNumber would be 144 (128+16).

Configure Windows Events

This policy setting configures which RSDM events will be thrown to Windows event system. You can configure Debug or Normal. By default Normal events will be written to the Windows event system, but if troubleshooting an issue it may be useful to enable Debug to have the RSDM service write more details to the Windows event system.

CMS Server Protocol

This policy setting configures which protocol should be used when communicating with vSEC:CMS server. The options are:

  • Prefer Soap: vSEC:CMS User Application will check if the server is available via SOAP protocol. If not, it will try gRPC.
  • Prefer gRPC: vSEC:CMS User Application will check if the server is available via gRPC protocol. If not, it will try SOAP.
  • Force Soap: vSEC:CMS User Application will check if the server is available via SOAP protocol. If not, it will fail.
  • Force gRPC: vSEC:CMS User Application will check if the server is available via gRPC protocol. If not, it will fail.

Error reporting level

This policy configures the level of entries added, under Windows Logs in Windows Event Viewer, which RSDM will filter for and report to vSEC:CMS server.

The different levels supported are:

  • Notification (Including Critical, Error, Warning, Information);
  • Information (Including: Critical, Error, Warning);
  • Warning (Including: Critical, Error);
  • Error (Including: Critical);
  • Critical.

Configure status reporting

This policy setting configures which enrollment status information should be reported back to the server-side. This can be useful information to capture when troubleshooting.

Select Enrollment dialog shown to the user if it is required to report back to the server side that the user did get the enrollment dialog presented to them.

Select User cancel enrollment dialog if it is required to report back to the server side that the user did cancel the enrollment process when the dialog was presented to them.

Select All if you want to report back both Enrollment dialog shown to the user and User cancel enrollment dialog events to the server side.

Select None if you don't want to report back both Enrollment dialog shown to the user and User cancel enrollment dialog events to the server side.

Server URL (gRPC)

This policy setting configures the URL of the gRPC vSEC:CMS User Application server-side. Enter the full URL in the Server URL field.

For example: my-server:port

Server URL (SOAP)

This policy setting configures the URL of the SOAP vSEC:CMS User Application server-side. Enter the full URL in the Server URL field.

For example: http://my-server:port/uss

Collect TPM information

If this policy is enabled the RSDM Service will collect details about the installed TPM chip.

Collect information about installed vSEC:CMS software

If this policy is enabled the RSDM Service will collect version details about installed vSEC:CMS software components and update the central inventory.

Collect Windows Hello for Business management information

If this policy is enabled the RSDM Service will collect Windows information for Windows Hello for Business management purposes.