My Blog
About Me
- Name: Ben Winzenz
- Location: Keller, Texas, United States
I grew up near Ann Arbor, Michigan and went to college at BYU (Brigham Young University). In 1992, I took 2 years off from school to serve a full-time mission for my Church (the Church of Jesus Christ of Latter-day Saints) in Frankfurt, Germany. I've been married for 11 years and have 4 beautiful children. I have been working with Exchange since 1999.
Subscribe to this Blog
Subscribe to my Blog
Contact Me
E-mail me
Other Blogs
MS Exchange Blog
Mark Fugatt's Blog
You Had me at EHLO
David Lemson's Blog [MSFT]
Evan Dodd's Blog [PSS]
KC Lemson's Blog
Michael Palermiti's Blog [PSS]
Michael B. Smith's Blog
Andy Webb's Blog
Chad Gross [SBS]
E2K Security
Glen's Exchange Dev Blog
Bharat Suneja's Blog
Exchange Cookbook
Kevin Weilbacher [SBS]
Sigfried Weber
Susan Bradley's SBS Blog
Tim Rains' Weblog
Robert Hensing's Blog
Robert Scoble's Blog
WitNit
Jim McBee's Mostly Exchange Blog
Ant Drewery
Exchange-ing Ideas - Missy Koslosky
Donna's Security Flash
What's in Store - WinFS blog
Microsoft Security Response Center
Jason Langridge's WebLog - MR Mobile!
Gerod Serafin's Blog
XP Source
Mark's Sysinternals Blog
Jesper Johansson's Blog
ExchangeIS - Ben Hoffman's Blog
Ray Ozzie's Blog
Monad Team Blog
Devin Ganger - (e)Mail Insecurity
Steve Riley's Blog
Henrik Walther's Exchange Blog
Search
Archives
September 2004October 2004
November 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
Registry Settings for Windows Mobile devices
Here's another post in my series about Windows Mobile devices. My last post talked about frustrations with the Q. Those issues never got fully resolved, but I'm not as concerned about them, because I don't own the device, and I haven't been asked to get it working.
I did find some interesting information, though. I feel rather fortunate that my device is completely unlocked, so I can muck with all the settings I want. For those that don't have unlocked devices, there may be *some* hope.
MSDN contains information on the Default Security Policy settings for both Windows Mobile Pocket PC's and Windows Mobile-based Smartphones. Check them out! Of interest is the section referring to the Grant Manager settings. I had seen several comments on the Windows Mobile team blog that referred to changing the registry key value in HKLM\Security\Policies\Policies\00001017 from the default of 128 to 144 and that this would aid in being able to install certificates, but didn't quite understand why that would make a difference until I read the MSDN documentation. The MSDN article indicates that the registry key 00001017 is the setting for the Grant Manager Policy, which basically defines which roles are granted system administrative authority. To understand these settings, let's look first at what the different roles are (there are actually a few more which are listed in the link below, but I don't think they are particularly relevant):
Security Role | Registry Key Value (Decimal) |
SECROLE_OPERATOR_TPS | 128 |
SECROLE_PPG_TRUSTED | 2048 |
SECROLE_PPG_AUTH | 1024 |
SECROLE_TRUSTED_PPG | 512 |
SECROLE_USER_AUTH | 16 |
SECROLE_MANAGER | 8 |
SECROLE_OPERATOR | 4 |
The thing to understand about registry settings such as these is that they can be used singularly, or in combination. When you look at the value of the key, it represents all settings that are enabled. By default, on non-phone based devices (Pocket PC only), the default setting (outlined in the MSDN article) is actually set to Decimal 16 (Hex of 0x000010), which equates to SECROLE_USER_AUTH. On phone-based devices (Pocket PC Phone edition and Smartphones), however, it defaults to Decimal 128 (Hex 0x000080), which is SECROLE_OPERATOR_TPS. By changing the value to Decimal 144 (Hex 0x000090), what you are actually doing is enabling both SECROLE_OPERATOR_TPS and SECROLE_USER_AUTH (128+16 = 144). In the same section of the MSDN site, another page describes the various security roles.
The only bit of advice I feel compelled to share here is to make sure that you document any settings when you make changes. There is nothing worse than knowing you changed something, but forgetting where it was you made the change, and what the default value was, especially when it is causing problems.
- posted by Ben Winzenz @ 10:50 AM
