diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 1cd8888461..cea4653f7b 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -1,92 +1,98 @@
---
-title: Policy CSP - Desktop
-description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders.
+title: Desktop Policy CSP
+description: Learn more about the Desktop Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 12/29/2022
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - Desktop
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## Desktop policies
+
+## PreventUserRedirectionOfProfileFolders
-
- -
- Desktop/PreventUserRedirectionOfProfileFolders
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Desktop/PreventUserRedirectionOfProfileFolders
+```
+
-
-
-
-**Desktop/PreventUserRedirectionOfProfileFolders**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-
-
-
-
-
-This policy setting prevents users from changing the path to their profile folders.
+
+
+Prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
If you enable this setting, users are unable to type a new location in the Target box.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Prohibit User from manually redirecting Profile Folders*
-- GP name: *DisablePersonalDirChange*
-- GP path: *Desktop*
-- GP ADMX file name: *desktop.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+**ADMX mapping**:
+| Name | Value |
+|:--|:--|
+| Name | DisablePersonalDirChange |
+| Friendly Name | Prohibit User from manually redirecting Profile Folders |
+| Location | User Configuration |
+| Path | Desktop |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
+| Registry Value Name | DisablePersonalDirChange |
+| ADMX File Name | Desktop.admx |
+
-
+
+
+
-## Related topics
+
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index f6f865422e..bb9af56415 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -1,595 +1,708 @@
---
-title: Policy CSP - DesktopAppInstaller
-description: Learn about the Policy CSP - DesktopAppInstaller.
-ms.author: v-aljupudi
+title: DesktopAppInstaller Policy CSP
+description: Learn more about the DesktopAppInstaller Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 12/29/2022
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: alekyaj
-ms.date: 08/24/2022
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DesktopAppInstaller
->[!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
-
+
+## EnableAdditionalSources
-
-## DesktopAppInstaller policies
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
- -
- DesktopAppInstaller/EnableAdditionalSources
-
- -
- DesktopAppInstaller/EnableAppInstaller
-
- -
- DesktopAppInstaller/EnableDefaultSource
-
- -
- DesktopAppInstaller/EnableLocalManifestFiles
-
- -
- DesktopAppInstaller/EnableHashOverride
-
- -
- DesktopAppInstaller/EnableMicrosoftStoreSource
-
- -
- DesktopAppInstaller/EnableMSAppInstallerProtocol
-
- -
- DesktopAppInstaller/EnableSettings
-
- -
- DesktopAppInstaller/EnableAllowedSources
-
- -
- DesktopAppInstaller/EnableExperimentalFeatures
-
- -
- DesktopAppInstaller/SourceAutoUpdateInterval
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAdditionalSources
+```
+
+
+
+This policy controls additional sources provided by the enterprise IT administrator.
-
+If you do not configure this policy, no additional sources will be configured for the Windows Package Manager.
-
-**DesktopAppInstaller/EnableAdditionalSources**
+If you enable this policy, the additional sources will be added to the Windows Package Manager and cannot be removed. The representation for each additional source can be obtained from installed sources using 'winget source export'.
-
+If you disable this policy, no additional sources can be configured for the Windows Package Manager.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
+**Description framework properties**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-> [!div class = "checklist"]
-> * Device
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-
-This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/).
+| Name | Value |
+|:--|:--|
+| Name | EnableAdditionalSources |
+| Friendly Name | Enable App Installer Additional Sources |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableAdditionalSources |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-If you don't configure this setting, no additional sources will be configured for Windows Package Manager.
+
+
+
-If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/).
+
-If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
+
+## EnableAllowedSources
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
-ADMX Info:
-- GP Friendly name: *Enable Additional Windows Package Manager Sources*
-- GP name: *EnableAdditionalSources*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAllowedSources
+```
+
-
-
+
+
+This policy controls additional sources allowed by the enterprise IT administrator.
-
+If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy.
+If you enable this policy, only the sources specified can be added or removed from the Windows Package Manager. The representation for each allowed source can be obtained from installed sources using 'winget source export'.
-
-**DesktopAppInstaller/EnableAppInstaller**
+If you disable this policy, no additional sources can be configured for the Windows Package Manager.
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-> [!div class = "checklist"]
-> * Device
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | EnableAllowedSources |
+| Friendly Name | Enable App Installer Allowed Sources |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableAllowedSources |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-
-
-This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.
+
+
+
-- If you enable or don't configure this setting, users will be able to use the Windows Package Manager.
-- If you disable this setting, users won't be able to use the Windows Package Manager.
+
-
+
+## EnableAppInstaller
-
-ADMX Info:
-- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users*
-- GP name: *EnableAppInstaller*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAppInstaller
+```
+
-
+
+
+This policy controls whether the Windows Package Manager can be used by users.
-
-**DesktopAppInstaller/EnableDefaultSource**
+If you enable or do not configure this setting, users will be able to use the Windows Package Manager.
-
+If you disable this setting, users will not be able to use the Windows Package Manager.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.
+
-
-
+
+**Description framework properties**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-> [!div class = "checklist"]
-> * Device
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | EnableAppInstaller |
+| Friendly Name | Enable App Installer |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableAppInstaller |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
+## EnableDefaultSource
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableDefaultSource
+```
+
+
+
+
This policy controls the default source included with the Windows Package Manager.
-If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed.
-- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed.
-- If you disable this setting the default source for the Windows Package Manager won't be available.
-
+If you do not configure this setting, the default source for the Windows Package Manager will be available and can be removed.
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Default Source*
-- GP name: *EnableDefaultSource*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+If you enable this setting, the default source for the Windows Package Manager will be available and cannot be removed.
-
-
+If you disable this setting the default source for the Windows Package Manager will not be available.
+
-
+
+
+
-
-**DesktopAppInstaller/EnableLocalManifestFiles**
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+**ADMX mapping**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Name | Value |
+|:--|:--|
+| Name | EnableDefaultSource |
+| Friendly Name | Enable App Installer Default Source |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableDefaultSource |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-> [!div class = "checklist"]
-> * Device
+
+
+
-
+
-
-
+
+## EnableExperimentalFeatures
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableExperimentalFeatures
+```
+
+
+
+
+This policy controls whether users can enable experimental features in the Windows Package Manager.
+
+If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager.
+
+If you disable this setting, users will not be able to enable experimental features for the Windows Package Manager.
+
+
+
+
+Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableExperimentalFeatures |
+| Friendly Name | Enable App Installer Experimental Features |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableExperimentalFeatures |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
+
+## EnableHashOverride
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableHashOverride
+```
+
+
+
+
+This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.
+
+If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.
+
+If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableHashOverride |
+| Friendly Name | Enable App Installer Hash Override |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableHashOverride |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
+
+## EnableLocalManifestFiles
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableLocalManifestFiles
+```
+
+
+
+
This policy controls whether users can install packages with local manifest files.
-- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
-- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager.
+If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
-
+If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager.
+
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Local Manifest Files*
-- GP name: *EnableLocalManifestFiles*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
-
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-**DesktopAppInstaller/EnableHashOverride**
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | EnableLocalManifestFiles |
+| Friendly Name | Enable App Installer Local Manifest Files |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableLocalManifestFiles |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
+
+## EnableMicrosoftStoreSource
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
-
-
-This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest.
-
-- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings.
-
-- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Enable App Installer Hash Override*
-- GP name: *EnableHashOverride*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-**DesktopAppInstaller/EnableMicrosoftStoreSource**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMicrosoftStoreSource
+```
+
+
+
This policy controls the Microsoft Store source included with the Windows Package Manager.
-If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
-- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed.
-- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available.
-
+If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source*
-- GP name: *EnableMicrosoftStoreSource*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available and cannot be removed.
-
-
+If you disable this setting the Microsoft Store source for the Windows Package Manager will not be available.
+
-
+
+
+
+
+
+**Description framework properties**:
-
-**DesktopAppInstaller/EnableMSAppInstallerProtocol**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | EnableMicrosoftStoreSource |
+| Friendly Name | Enable App Installer Microsoft Store Source |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableMicrosoftStoreSource |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
+## EnableMSAppInstallerProtocol
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMSAppInstallerProtocol
+```
+
+
+
+
+This policy controls whether users can install packages from a website that is using the ms-appinstaller protocol.
+
+If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol.
+
+If you disable this setting, users will not be able to install packages from websites that use this protocol.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableMSAppInstallerProtocol |
+| Friendly Name | Enable App Installer ms-appinstaller protocol |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableMSAppInstallerProtocol |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
+
+## EnableSettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableSettings
+```
+
+
+
+
+This policy controls whether users can change their settings.
+
+If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager.
+
+If you disable this setting, users will not be able to change settings for the Windows Package Manager.
+
+
+
+
+The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableSettings |
+| Friendly Name | Enable App Installer Settings |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableSettings |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-
+
+
+
-
-
+
+
+
+## SourceAutoUpdateInterval
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/SourceAutoUpdateInterval
+```
+
+
+
+
+This policy controls the auto update interval for package-based sources.
+
+If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the Windows Package Manager.
+
+If you enable this setting, the number of minutes specified will be used by the Windows Package Manager.
+
+
+
+
+
+
+
+**Description framework properties**:
-This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SourceAutoUpdateInterval |
+| Friendly Name | Set App Installer Source Auto Update Interval In Minutes |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-- If you disable this setting, users will not be able to install packages from websites that use this protocol.
+
+
+
-
+
-
-ADMX Info:
-- GP Friendly name: *Enable MS App Installer Protocol*
-- GP name: *EnableMSAppInstallerProtocol*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
-
-
+
+
+## Related articles
-
-
-
-**DesktopAppInstaller/EnableSettings**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy.
-
-- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager.
-- If you disable this setting, users will not be able to change settings for Windows Package Manager.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Settings Command*
-- GP name: *EnableSettings*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-**DesktopAppInstaller/EnableAllowedSources**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy.
-
-- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export.
-- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Settings Command*
-- GP name: *EnableAllowedSources*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-**DesktopAppInstaller/EnableExperimentalFeatures**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.
-
-- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager.
-
-- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Experimental Features*
-- GP name: *EnableExperimentalFeatures*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-**DesktopAppInstaller/SourceAutoUpdateInterval**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
-
-- If you enable this setting, the number of minutes specified will be used by Windows Package Manager.
-
-- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes*
-- GP name: *SourceAutoUpdateInterval*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index c7f637d5a7..d4a0eaf1df 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -1,259 +1,351 @@
---
-title: Policy CSP - DeviceGuard
-description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard.
+title: DeviceGuard Policy CSP
+description: Learn more about the DeviceGuard Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 12/29/2022
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DeviceGuard
+
+
+
-
+
+## ConfigureSystemGuardLaunch
-
-## DeviceGuard policies
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
- -
- DeviceGuard/ConfigureSystemGuardLaunch
-
- -
- DeviceGuard/EnableVirtualizationBasedSecurity
-
- -
- DeviceGuard/LsaCfgFlags
-
- -
- DeviceGuard/RequirePlatformSecurityFeatures
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch
+```
+
+
+
+Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch.
+
-
-
-
-**DeviceGuard/ConfigureSystemGuardLaunch**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy allows the IT admin to configure the launch of System Guard.
-
-Secure Launch configuration:
-
-- 0 - Unmanaged, configurable by Administrative user
-- 1 - Enables Secure Launch if supported by hardware
-- 2 - Disables Secure Launch.
-
+
+
For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
+
-
-
-ADMX Info:
-- GP Friendly name: *Turn On Virtualization Based Security*
-- GP name: *VirtualizationBasedSecurity*
-- GP element: *SystemGuardDrop*
-- GP path: *System/Device Guard*
-- GP ADMX file name: *DeviceGuard.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Unmanaged Configurable by Administrative user |
+| 1 | Unmanaged Enables Secure Launch if supported by hardware |
+| 2 | Unmanaged Disables Secure Launch |
+
-
-
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Element Name | Secure Launch Configuration |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| ADMX File Name | DeviceGuard.admx |
+
-
-**DeviceGuard/EnableVirtualizationBasedSecurity**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## EnableVirtualizationBasedSecurity
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+Specifies whether Virtualization Based Security is enabled.
-> [!div class = "checklist"]
-> * Device
+Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices.
-
+Virtualization Based Protection of Code Integrity
-
-
-Turns on virtualization based security(VBS) at the next reboot. Virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
+This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature.
-
-
-ADMX Info:
-- GP Friendly name: *Turn On Virtualization Based Security*
-- GP name: *VirtualizationBasedSecurity*
-- GP path: *System/Device Guard*
-- GP ADMX file name: *DeviceGuard.admx*
+The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the "Enabled without lock" option.
-
-
-The following list shows the supported values:
+The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
-- 0 (default) - disable virtualization based security.
-- 1 - enable virtualization based security.
+The "Enabled without lock" option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.
-
-
+The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
-
+The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility.
-
-**DeviceGuard/LsaCfgFlags**
+Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible.
-
+Credential Guard
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials.
+For Windows 11 21H2 and earlier, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option. For later versions, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option or was "Not Configured".
-
-
+The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+The "Enabled without lock" option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).
-> [!div class = "checklist"]
-> * Device
+For Windows 11 21H2 and earlier, the "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. For later versions, if there is no current setting in the registry, the "Not Configured" option will enable Credential Guard without UEFI lock.
-
+Secure Launch
-
-
+This setting sets the configuration of Secure Launch to secure the boot chain.
+
+The "Not Configured" setting is the default, and allows configuration of the feature by Administrative users.
+
+The "Enabled" option turns on Secure Launch on supported hardware.
+
+The "Disabled" option turns off Secure Launch, regardless of hardware support.
+
+Kernel-mode Hardware-enforced Stack Protection
+
+This setting enables Hardware-enforced Stack Protection for kernel-mode code. When this security feature is enabled, kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered.
+
+This security feature has the following prerequisites:
+1) The CPU hardware supports hardware-based shadow stacks.
+2) Virtualization Based Protection of Code Integrity is enabled.
+
+If either prerequisite is not met, this feature will not be enabled, even if an "Enabled" option is selected for this feature.
+
+**Note** that selecting an "Enabled" option for this feature will not automatically enable Virtualization Based Protection of Code Integrity, that needs to be done separately.
+
+Devices that enable this security feature must be running at least Windows 11 (Version 22H2).
+
+The "Disabled" option turns off kernel-mode Hardware-enforced Stack Protection.
+
+The "Enabled in audit mode" option enables kernel-mode Hardware-enforced Stack Protection in audit mode, where shadow stack violations are not fatal and will be logged to the system event log.
+
+The "Enabled in enforcement mode" option enables kernel-mode Hardware-enforced Stack Protection in enforcement mode, where shadow stack violations are fatal.
+
+The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
+
+Warning: All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, refer to .
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | disable virtualization based security. |
+| 1 | enable virtualization based security. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| Registry Value Name | EnableVirtualizationBasedSecurity |
+| ADMX File Name | DeviceGuard.admx |
+
+
+
+
+
+
+
+
+
+## LsaCfgFlags
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags
+```
+
+
+
+
+Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. |
+| 1 | (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. |
+| 2 | (Enabled without lock) Turns on Credential Guard without UEFI lock. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Element Name | Credential Guard Configuration |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| ADMX File Name | DeviceGuard.admx |
+
+
+
+
+
+
+
+
+
+## RequirePlatformSecurityFeatures
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures
+```
+
+
+
+
+Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
+
+
+
+
This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
+
-
-
-ADMX Info:
-- GP Friendly name: *Turn On Virtualization Based Security*
-- GP name: *VirtualizationBasedSecurity*
-- GP element: *CredentialIsolationDrop*
-- GP path: *System/Device Guard*
-- GP ADMX file name: *DeviceGuard.admx*
+
+**Description framework properties**:
-
-
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-- 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock.
-- 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
-- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock.
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Turns on VBS with Secure Boot. |
+| 3 | Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. |
+
-
+
+**Group policy mapping**:
-
-**DeviceGuard/RequirePlatformSecurityFeatures**
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Element Name | Select Platform Security Level |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| ADMX File Name | DeviceGuard.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This setting specifies the platform security level at the next reboot. Value type is integer.
-
-
-
-ADMX Info:
-- GP Friendly name: *Turn On Virtualization Based Security*
-- GP name: *VirtualizationBasedSecurity*
-- GP element: *RequirePlatformSecurityFeaturesDrop*
-- GP path: *System/Device Guard*
-- GP ADMX file name: *DeviceGuard.admx*
-
-
-
-The following list shows the supported values:
-
-- 1 (default) - Turns on VBS with Secure Boot.
-- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
-
-
-
-
-
-
-
-
-
-## Related topics
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 9b12315551..38b1ab8c83 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -1,189 +1,200 @@
---
-title: Policy CSP - DeviceHealthMonitoring
-description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft.
+title: DeviceHealthMonitoring Policy CSP
+description: Learn more about the DeviceHealthMonitoring Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 12/29/2022
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DeviceHealthMonitoring
+
+
+
+
+## AllowDeviceHealthMonitoring
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-
-## DeviceHealthMonitoring policies
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring
+```
+
-
- -
- DeviceHealthMonitoring/AllowDeviceHealthMonitoring
-
- -
- DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope
-
- -
- DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination
-
-
+
+
+Enable/disable 4Nines device health monitoring on devices.
+
+
+
+
-
+
+**Description framework properties**:
-
-**DeviceHealthMonitoring/AllowDeviceHealthMonitoring**
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
+
+**Allowed values**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Value | Description |
+|:--|:--|
+| 1 | The DeviceHealthMonitoring connection is enabled. |
+| 0 (Default) | The DeviceHealthMonitoring connection is disabled. |
+
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## ConfigDeviceHealthMonitoringScope
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope
+```
+
-
-
-DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it.
+
+
+If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored.
+
-
-
-The following list shows the supported values:
+
+
+
-- 1 -The DeviceHealthMonitoring connection is enabled.
-- 0 - (default)—The DeviceHealthMonitoring connection is disabled.
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringScope_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
-
-
+
+
+
-
-
+
-
+
+## ConfigDeviceHealthMonitoringServiceInstance
-
-**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringServiceInstance
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which service instance to which events are to be uploaded.
+
+
+
+
-
-
+
+**Description framework properties**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringServiceInstance_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
-> [!div class = "checklist"]
-> * Device
+
+
+
-
+
-
-
-This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
-This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection.
-IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
+
+## ConfigDeviceHealthMonitoringUploadDestination
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination
+```
+
-
-
+
+
+If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded.
+
-
-
+
+
+
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringUploadDestination_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
-
-**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
+
-
-
+## Related articles
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
-
-The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios.
-In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked.
-
-Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index de68aa4b4e..ea11b5d336 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -1,135 +1,102 @@
---
-title: Policy CSP - DeviceInstallation
-ms.reviewer:
+title: DeviceInstallation Policy CSP
+description: Learn more about the DeviceInstallation Area in Policy CSP
+author: vinaypamnani-msft
manager: aaroncz
-description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install.
ms.author: vinpa
-ms.date: 09/27/2019
-ms.topic: article
+ms.date: 12/29/2022
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
+ms.topic: reference
---
+
+
+
# Policy CSP - DeviceInstallation
->[!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-
-
-
-## DeviceInstallation policies
-
-
- -
- DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
-
- -
- DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
-
- -
- DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
-
- -
- DeviceInstallation/EnableInstallationPolicyLayering
-
- -
- DeviceInstallation/PreventDeviceMetadataFromNetwork
-
- -
- DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
-
- -
- DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
-
- -
- DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
-
- -
- DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
-
-
-
-
-
-
-
-### DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting allows you to specify a list of plug-and-play hardware IDs and compatible IDs for devices that Windows is allowed to install.
-
> [!TIP]
-> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+## AllowInstallationOfMatchingDeviceIDs
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
+```
+
+
+
+
+This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
+- Prevent installation of devices that match these device IDs
+- Prevent installation of devices that match any of these device instance IDs
+If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-- Prevent installation of devices that match these device IDs.
-- Prevent installation of devices that match any of these device instance IDs.
+NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
-If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-
-> [!NOTE]
-> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
-
-Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
+Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+
+
+
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-ADMX Info:
-- GP Friendly name: *Allow installation of devices that match any of these device IDs*
-- GP name: *DeviceInstall_IDs_Allow*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_IDs_Allow |
+| Friendly Name | Allow installation of devices that match any of these device IDs |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | AllowDeviceIDs |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter.
-
```xml
@@ -157,79 +124,77 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
-
-
+
-
-
+
-
+
+## AllowInstallationOfMatchingDeviceInstanceIDs
-
-### DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install.
-
-> [!TIP]
-> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
+
+
+This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
+- Prevent installation of devices that match any of these device instance IDs
+If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-- Prevent installation of devices that match any of these device instance IDs.
-
-If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-
-> [!NOTE]
-> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
+NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+
+
+
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Allow installation of devices that match any of these device instance IDs*
-- GP name: *DeviceInstall_Instance_IDs_Allow*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Instance_IDs_Allow |
+| Friendly Name | Allow installation of devices that match any of these device instance IDs |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | AllowInstanceIDs |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
To enable this policy, use the following SyncML.
``` xml
@@ -257,81 +222,79 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
-
-
+
-
-
+
-
+
+## AllowInstallationOfMatchingDeviceSetupClasses
-
-### DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install.
-
-> [!TIP]
-> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
+
+
+This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
-
- Prevent installation of devices for these device classes
- Prevent installation of devices that match these device IDs
- Prevent installation of devices that match any of these device instance IDs
+If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-
-> [!NOTE]
-> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
+NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+
+
+
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Allow installation of devices using drivers that match these device setup classes*
-- GP name: *DeviceInstall_Classes_Allow*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Classes_Allow |
+| Friendly Name | Allow installation of devices using drivers that match these device setup classes |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | AllowDeviceClasses |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
To enable this policy, use the following SyncML. This example allows Windows to install:
- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
@@ -359,6 +322,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
```
+**Verify**:
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
@@ -369,82 +333,85 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
-
-
+
-
-
+
-
+
+## EnableInstallationPolicyLayering
-
-### DeviceInstallation/EnableInstallationPolicyLayering
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-Added in Windows 10, Version 2106
-
-
-
-
+
+
This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
Device instance IDs > Device IDs > Device setup class > Removable devices
-**Device instance IDs**
+Device instance IDs
+1. Prevent installation of devices using drivers that match these device instance IDs
+2. Allow installation of devices using drivers that match these device instance IDs
-- Prevent installation of devices using drivers that match these device instance IDs.
-- Allow installation of devices using drivers that match these device instance IDs.
+Device IDs
+3. Prevent installation of devices using drivers that match these device IDs
+4. Allow installation of devices using drivers that match these device IDs
-**Device IDs**
-- Prevent installation of devices using drivers that match these device IDs.
-- Allow installation of devices using drivers that match these device IDs.
+Device setup class
+5. Prevent installation of devices using drivers that match these device setup classes
+6. Allow installation of devices using drivers that match these device setup classes
-**Device setup class**
-- Prevent installation of devices using drivers that match these device setup classes.
-- Allow installation of devices using drivers that match these device setup classes.
+Removable devices
+7. Prevent installation of removable devices
-**Removable devices**
-- Prevent installation of removable devices.
+NOTE: This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
-> [!NOTE]
-> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
+If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
+
-If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
+
+
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria*
-- GP name: *DeviceInstall_Allow_Deny_Layered*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Allow_Deny_Layered |
+| Friendly Name | Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | AllowDenyLayered |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
```xml
@@ -463,6 +430,7 @@ ADMX Info:
```
+**Verify**:
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
@@ -477,126 +445,133 @@ You can also change the evaluation order of device installation policy settings
:::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image.":::
-
-
-
-
-
+
-
-### DeviceInstallation/PreventDeviceMetadataFromNetwork
+
-
+
+## PreventDeviceMetadataFromNetwork
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventDeviceMetadataFromNetwork
+```
+
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet.
-If you enable this policy setting, Windows doesn't retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab).
+If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab).
-If you disable or don't configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
+If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Prevent device metadata retrieval from the Internet*
-- GP name: *DeviceMetadata_PreventDeviceMetadataFromNetwork*
-- GP path: *System/Device Installation*
-- GP ADMX file name: *DeviceSetup.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | DeviceMetadata_PreventDeviceMetadataFromNetwork |
+| Friendly Name | Prevent device metadata retrieval from the Internet |
+| Location | Computer Configuration |
+| Path | System > Device Installation |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Device Metadata |
+| Registry Value Name | PreventDeviceMetadataFromNetwork |
+| ADMX File Name | DeviceSetup.admx |
+
-
-
+
+
+
-
+
-
-### DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
+
+## PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
+```
+
+
+
+This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting.
-
-
+NOTE: This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting.
-> [!div class = "checklist"]
-> * Device
+If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
+
-
+
+
+
-
-
-This policy setting allows you to prevent the installation of devices that aren't described by any other policy setting.
+
+**Description framework properties**:
-> [!NOTE]
-> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that isn't described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-If you disable or don't configure this policy setting, Windows is allowed to install or update the driver package for any device that isn't described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Unspecified_Deny |
+| Friendly Name | Prevent installation of devices not described by other policy settings |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | DenyUnspecified |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+**Example**:
-
-ADMX Info:
-- GP Friendly name: *Prevent installation of devices not described by other policy settings*
-- GP name: *DeviceInstall_Unspecified_Deny*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
-
-
-
-
-
-
To enable this policy, use the following SyncML. This example prevents Windows from installing devices that aren't described by any other policy setting.
-
```xml
@@ -616,6 +591,8 @@ To enable this policy, use the following SyncML. This example prevents Windows f
```
+**Verify**:
+
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
@@ -628,69 +605,71 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
You can also block installation by using a custom profile in Intune.
-
-
+
-
-
+
-
+
+## PreventInstallationOfMatchingDeviceIDs
-
-### DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.
-> [!NOTE]
-> To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
+NOTE: To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+
+
+
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Prevent installation of devices that match any of these device IDs*
-- GP name: *DeviceInstall_IDs_Deny*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_IDs_Deny |
+| Friendly Name | Prevent installation of devices that match any of these device IDs |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | DenyDeviceIDs |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
-
To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use  as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
@@ -713,6 +692,8 @@ To enable this policy, use the following SyncML. This example prevents Windows f
```
+**Verify**:
+
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
@@ -727,65 +708,69 @@ You can also block installation and usage of prohibited peripherals by using a c
For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed.
-
-
+
-
-
+
-
+
+## PreventInstallationOfMatchingDeviceInstanceIDs
-
-### DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+
+
+
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Prevent installation of devices that match any of these device instance IDs*
-- GP name: *DeviceInstall_Instance_IDs_Deny*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Instance_IDs_Deny |
+| Friendly Name | Prevent installation of devices that match any of these device instance IDs |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | DenyInstanceIDs |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with device instance IDs of USB\VID_1F75 and USB\VID_0781. To configure multiple classes, use `` as a delimiter.
``` xml
@@ -806,6 +791,9 @@ To enable this policy, use the following SyncML. This example prevents Windows f
```
+
+**Verify**
+
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
``` txt
@@ -834,68 +822,71 @@ with
> don't use spaces in the value.
3. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile.
-
-
+
-
-
+
-
+
+## PreventInstallationOfMatchingDeviceSetupClasses
-
-### DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.
-> [!NOTE]
-> To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
+NOTE: To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
+If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
+
+
+
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Prevent installation of devices using drivers that match these device setup classes*
-- GP name: *DeviceInstall_Classes_Deny*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Classes_Deny |
+| Friendly Name | Prevent installation of devices using drivers that match these device setup classes |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | DenyDeviceClasses |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
To enable this policy, use the following SyncML. This example prevents Windows from installing:
- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
@@ -924,6 +915,8 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
```
+**Verify**:
+
To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt
@@ -932,17 +925,16 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
-
-
+
-
-
-
+
+
+
+
+
-
-
-## Related topics
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)