TPMPolicy 云解决方案提供商TPMPolicy CSP

TPMPolicy 配置服务提供程序 (CSP) 提供了一种在 Windows 设备上为 TPM 软件组件启用零排放配置的机制。The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. 零排放定义为无网络流量 (诊断数据或其他方式,例如将背景图像、Windows 更新等下载。) 从 Windows 和收件箱应用程序下载到公用 IP 地址,除非用户直接指定。Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on.) from Windows and inbox applications to public IP addresses unless directly intended by the user. 这允许企业管理员配置设备,其中未经明确批准,系统不启动任何网络通信。This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.

TPMPolicy CSP 已添加到 Windows 10 版本 1703 中。The TPMPolicy CSP was added in Windows 10, version 1703.

下面以树格式显示 TPMPolicy 配置服务提供程序。The following shows the TPMPolicy configuration service provider in tree format.

./Vendor/MSFT
TPMPolicy
----IsActiveZeroExhaust

./Device/Vendor/MSFT/TPMPolicy./Device/Vendor/MSFT/TPMPolicy

定义根节点。Defines the root node.

IsActiveZeroEx一tIsActiveZeroExhaust

指示是否允许从设备到公用 IP 地址的网络流量的布尔值,除非用户直接 (零) 。Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). 默认值为 false。Default value is false. 配置零排放的一些示例:Some examples when zero exhaust is configured:

  • 当计算机处于空闲状态时,应该没有流量。There should be no traffic when machine is on idle. 当用户未与系统/设备交互时,预期没有流量。When the user is not interacting with the system/device, no traffic is expected.
  • 安装 Windows 期间不应有流量,使用本地 ID 时应首次登录。There should be no traffic during installation of Windows and first logon when local ID is used.
  • 启动和使用本地应用 (记事本、画图等。) 发送任何流量。Launching and using a local app (Notepad, Paint, and so on.) should not send any traffic. 同样,执行常见 (单击"开始"菜单、浏览文件夹等。) 发送任何流量。Similarly, performing common tasks (clicking on start menu, browsing folders, and so on.) should not send any traffic.
  • 启动和使用启用 Internet 的应用不应向 Microsoft 发送 (维护、诊断数据等) 流量。Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, and so on.) to Microsoft.

下面是一个示例:Here is an example:

<Replace>
    <CmdID>101</CmdID>
    <Item>
        <Target>
            <LocURI>
                ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust
            </LocURI>
        </Target>
        <Meta>
            <Format>bool</Format>
            <Type>text/plain</Type>
        </Meta>
        <Data>true</Data>
    </Item>
</Replace>