Registry Settings for Windows Mobile devices
Here's another post in my series about Windows Mobile devices. My last post talked about frustrations with the Q. Those issues never got fully resolved, but I'm not as concerned about them, because I don't own the device, and I haven't been asked to get it working.
I did find some interesting information, though. I feel rather fortunate that my device is completely unlocked, so I can muck with all the settings I want. For those that don't have unlocked devices, there may be *some* hope.
MSDN contains information on the Default Security Policy settings for both Windows Mobile Pocket PC's and Windows Mobile-based Smartphones. Check them out! Of interest is the section referring to the Grant Manager settings. I had seen several comments on the Windows Mobile team blog that referred to changing the registry key value in HKLM\Security\Policies\Policies\00001017 from the default of 128 to 144 and that this would aid in being able to install certificates, but didn't quite understand why that would make a difference until I read the MSDN documentation. The MSDN article indicates that the registry key 00001017 is the setting for the Grant Manager Policy, which basically defines which roles are granted system administrative authority. To understand these settings, let's look first at what the different roles are (there are actually a few more which are listed in the link below, but I don't think they are particularly relevant):
Registry Key Value (Decimal)
The thing to understand about registry settings such as these is that they can be used singularly, or in combination. When you look at the value of the key, it represents all settings that are enabled. By default, on non-phone based devices (Pocket PC only), the default setting (outlined in the MSDN article) is actually set to Decimal 16 (Hex of 0x000010), which equates to SECROLE_USER_AUTH. On phone-based devices (Pocket PC Phone edition and Smartphones), however, it defaults to Decimal 128 (Hex 0x000080), which is SECROLE_OPERATOR_TPS. By changing the value to Decimal 144 (Hex 0x000090), what you are actually doing is enabling both SECROLE_OPERATOR_TPS and SECROLE_USER_AUTH (128+16 = 144). In the same section of the MSDN site, another page describes the various security roles.
The only bit of advice I feel compelled to share here is to make sure that you document any settings when you make changes. There is nothing worse than knowing you changed something, but forgetting where it was you made the change, and what the default value was, especially when it is causing problems.