Going Beyond the Initial Setup –
Provisioning Windows Mobile Devices
By Chris De Herrera,
Version 1.00 Created 6/26/2006
If you work in an enterprise that has multiple Windows
Mobile devices, you will soon find that you need an easy way to setup new
devices. This is especially true if you are planning to deploy hundreds or
thousands of devices. This article explains different options to configure
or provision Windows Mobile devices en mass.
Backup & Restore
The initial idea that some enterprise users may think of is like using
Symantec Ghost for Windows Mobile devices. Basically a network administrator
configures a Windows Mobile device initially by hand. Then they perform a
backup of the device using tools like
SPB Backup or
Clone. This backup would be the “golden master” for that particular
device and configuration. The cloning process is easy to perform by
restoring the backup onto a new device. The downside to this process is that
the backup is generally device and rom version specific so you will want to
test the image with each new device and rom.
Working with the Registry
Another way to configure settings in Windows Mobile is by using a
registry editor. Please note that neither Microsoft nor any OEM will support
you editing the registry on the device. Microsoft has documented common
settings that are related to security at
Default Security Policy Settings for Windows Mobile-Based Devices. You
will need a registry editor since there is no editor provided with Windows
Mobile. You can download a registry editor from
Resco Explorer 2005. Also, if your device has been secured, you may have
to use a digitally signed registry editor in order to change the settings.
Windows Mobile 5.0 Provisioning
With Windows Mobile 5.0, Microsoft came up with a new process to
provision devices. This process allows users to setup different types of
settings all at once. Also, you can create XML entries that are compiled
into a CPF file to make registry changes beyond the standard settings. One
of the critical items to understand is the two tier security architecture,
security policy and security roles that control whom can modify the settings
on the device. This process is fairly complex and requires you to consider
how devices are managed in your environment. The downside to the
provisioning process is that there is no option to automatically install
applications so you will have to install them separately.
Understanding Windows Mobile Two-Tier Security Architecture
Microsoft has introduced a two-tier security architecture for Windows
Mobile devices. The first tier defines that digitally signed applications
are allowed full access to all privileged APIs and Registry keys.
Applications that are not signed cannot be run on the device. The second
tier defines that digitally signed applications will run in Normal mode
while specially signed applications from the carrier or enterprise can
access all privileged APIs and Registry keys. Applications that are not
signed cannot be run on the device. Microsoft has described the two tier
security architecture at
Selecting Security Configuration.
Windows Mobile 2003 and 5.0 Smartphones support two tiers of security which
define whom can install applications and make registry changes. Windows
Mobile 5.0 Pocket PCs support only a single tier security architecture.
Normally Windows Mobile 5.0 Pocket PCs and Smartphones are delivered with no
security architecture implemented. However you should ask your OEM to ensure
that you can confirm this for your specific device. Prior versions of the
Pocket PC did not support this security architecture however the Smartphone
has supported it since the beginning.
So when you decide to implement security in your environment, you may choose
to purchase a digital certificate so you can sign your provisioning XML
files. This will prevent users from being able to change these settings and
install applications. The digital certificate process is the same as
application developers use to sign their applications. You may find the
Windows Mobile 5.0 Application Security which covers how to sign
Understanding Windows Mobile 5.0 Security Policy and Roles.
Part of Windows Mobile 5.0 is that Microsoft supports many different
roles that can modify the device. The security roles define whether or not a
specific configuration file has access to resources based on the role
defined for it. The security policies define the different policy settings
that can be defined on the device to control a particular function. I
suggest that all administrators read about the
Security Policy and Roles.
Creating an XML Provisioning File
Microsoft has documented the provisioning options and process at
Provisioning Files. The process of creating a provisioning file requires
the device administrator to create an XML file with al the settings required
to configure the device. The different XML schemas for the provisioning file
are documented at
Configuration Service Provider Reference for Windows Mobile-Based Devices.
Also you will want to review the 28 example XML files at
OMA Client Provisioning XML File Examples or the combined XML sample at
XML Example for Security Policy. I suggest that you combine multiple XML
options into a single file so it configures everything you need. You must
make sure that you name the XML file _setup.xml.
Creating and Installing a CPF File
Then you need to create a CPF file. A CPF file is a special CAB file
that installs the settings on the device for you. To create a CPF file. go
to a command line (start - run and type CMD) and navigate to the directory
where the _setup.xml file is located. Then enter the command “C:\WINDOWS\SYSTEM32\
MakeCAB.exe /D COMPRESS=OFF _setup.xml MyCPF.cpf “ to create a CPF file
that installs the XML settings on the device. Finally once you have the
MyCPF.CPF file you can install it on any Windows Mobile 5.0 device and the
device will have all the same settings. To install the MyCPF.CPF file just
copy it to your device and use File Explorer to navigate to the folder where
it is located and click on it to install it.
Testing a CPF File
Once you have installed the CPF file you can use a registry
editor (see above) to confirm that the security settings you enabled are
set. The common security settings are documented by Microsoft at
Default Security Policy Settings for Windows Mobile-Based Devices,
The registry is readable even if the registry editor is not digitally
signed to allow changes.
While Microsoft now provides administrators with the option to setup
default parameters and security on their devices, the process can be
daunting. Hand coding an XML file and creating a .CPF file is a process that
can fail due to typographical errors too easily. I hope that Microsoft or a
3rd party provides a simpler tool to customize these settings more easily
than creating a custom CPF file by hand. In the meantime, you can create
your own CPF file, edit the registry or consider the backup and restore
Return to Chris De Herrera's Windows CE