deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

desktop desktopa;;installer deviceguard devicehealthmonitoring deviceinstallation

Browse Source
This commit is contained in:
Liz Long 2022-12-29 12:01:25 -05:00
parent 2447a37757
commit 03f55e0b8e
5 changed files with 1603 additions and 1389 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
windows/client-management/mdm/policy-csp-desktop.md
View File

@ -1,92 +1,98 @@
---
title: Policy CSP - Desktop
description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders.
title: Desktop Policy CSP
description: Learn more about the Desktop Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 12/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- Desktop-Begin -->
# Policy CSP - Desktop
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!-- Desktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Desktop-Editable-End -->
<!--Policies-->
## Desktop policies
<!-- PreventUserRedirectionOfProfileFolders-Begin -->
## PreventUserRedirectionOfProfileFolders
<dl>
<dd>
<a href="#desktop-preventuserredirectionofprofilefolders">Desktop/PreventUserRedirectionOfProfileFolders</a>
</dd>
</dl>
<!-- PreventUserRedirectionOfProfileFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- PreventUserRedirectionOfProfileFolders-Applicability-End -->
<!-- PreventUserRedirectionOfProfileFolders-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Desktop/PreventUserRedirectionOfProfileFolders
```
<!-- PreventUserRedirectionOfProfileFolders-OmaUri-End -->
<hr/>
<!--Policy-->
<a href="" id="desktop-preventuserredirectionofprofilefolders"></a>**Desktop/PreventUserRedirectionOfProfileFolders**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting prevents users from changing the path to their profile folders.
<!-- PreventUserRedirectionOfProfileFolders-Description-Begin -->
<!-- Description-Source-ADMX -->
Prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
If you enable this setting, users are unable to type a new location in the Target box.
<!-- PreventUserRedirectionOfProfileFolders-Description-End -->
<!--/Description-->
<!-- PreventUserRedirectionOfProfileFolders-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- PreventUserRedirectionOfProfileFolders-Editable-End -->
<!-- PreventUserRedirectionOfProfileFolders-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Prohibit User from manually redirecting Profile Folders*
- GP name: *DisablePersonalDirChange*
- GP path: *Desktop*
- GP ADMX file name: *desktop.admx*
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- PreventUserRedirectionOfProfileFolders-DFProperties-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- PreventUserRedirectionOfProfileFolders-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | DisablePersonalDirChange |
| Friendly Name | Prohibit User from manually redirecting Profile Folders |
| Location | User Configuration |
| Path | Desktop |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Registry Value Name | DisablePersonalDirChange |
| ADMX File Name | Desktop.admx |
<!-- PreventUserRedirectionOfProfileFolders-AdmxBacked-End -->
<!--/Policies-->
<!-- PreventUserRedirectionOfProfileFolders-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- PreventUserRedirectionOfProfileFolders-Examples-End -->
## Related topics
<!-- PreventUserRedirectionOfProfileFolders-End -->
[Policy configuration service provider](policy-configuration-service-provider.md)
<!-- Desktop-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Desktop-CspMoreInfo-End -->
<!-- Desktop-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

1097
windows/client-management/mdm/policy-csp-desktopappinstaller.md
View File

File diff suppressed because it is too large Load Diff

496
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -1,259 +1,351 @@
---
title: Policy CSP - DeviceGuard
description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard.
title: DeviceGuard Policy CSP
description: Learn more about the DeviceGuard Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 12/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- DeviceGuard-Begin -->
# Policy CSP - DeviceGuard
<!-- DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DeviceGuard-Editable-End -->
<hr/>
<!-- ConfigureSystemGuardLaunch-Begin -->
## ConfigureSystemGuardLaunch
<!--Policies-->
## DeviceGuard policies
<!-- ConfigureSystemGuardLaunch-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
<!-- ConfigureSystemGuardLaunch-Applicability-End -->
<dl>
<dd>
<a href="#deviceguard-configuresystemguardlaunch">DeviceGuard/ConfigureSystemGuardLaunch</a>
</dd>
<dd>
<a href="#deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
</dd>
<dd>
<a href="#deviceguard-lsacfgflags">DeviceGuard/LsaCfgFlags</a>
</dd>
<dd>
<a href="#deviceguard-requireplatformsecurityfeatures">DeviceGuard/RequirePlatformSecurityFeatures</a>
</dd>
</dl>
<!-- ConfigureSystemGuardLaunch-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch
```
<!-- ConfigureSystemGuardLaunch-OmaUri-End -->
<!-- ConfigureSystemGuardLaunch-Description-Begin -->
<!-- Description-Source-DDF -->
Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch.
<!-- ConfigureSystemGuardLaunch-Description-End -->
<hr/>
<!--Policy-->
<a href="" id="deviceguard-configuresystemguardlaunch"></a>**DeviceGuard/ConfigureSystemGuardLaunch**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the IT admin to configure the launch of System Guard.
Secure Launch configuration:
- 0 - Unmanaged, configurable by Administrative user
- 1 - Enables Secure Launch if supported by hardware
- 2 - Disables Secure Launch.
<!-- ConfigureSystemGuardLaunch-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
<!-- ConfigureSystemGuardLaunch-Editable-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP element: *SystemGuardDrop*
- GP path: *System/Device Guard*
- GP ADMX file name: *DeviceGuard.admx*
<!-- ConfigureSystemGuardLaunch-DFProperties-Begin -->
**Description framework properties**:
<!--/ADMXMapped-->
<!--SupportedValues-->
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureSystemGuardLaunch-DFProperties-End -->
<!--/SupportedValues-->
<!--Example-->
<!-- ConfigureSystemGuardLaunch-AllowedValues-Begin -->
**Allowed values**:
<!--/Example-->
<!--Validation-->
| Value | Description |
|:--|:--|
| 0 (Default) | Unmanaged Configurable by Administrative user |
| 1 | Unmanaged Enables Secure Launch if supported by hardware |
| 2 | Unmanaged Disables Secure Launch |
<!-- ConfigureSystemGuardLaunch-AllowedValues-End -->
<!--/Validation-->
<!--/Policy-->
<!-- ConfigureSystemGuardLaunch-GpMapping-Begin -->
**Group policy mapping**:
<hr/>
| Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Element Name | Secure Launch Configuration |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| ADMX File Name | DeviceGuard.admx |
<!-- ConfigureSystemGuardLaunch-GpMapping-End -->
<!--Policy-->
<a href="" id="deviceguard-enablevirtualizationbasedsecurity"></a>**DeviceGuard/EnableVirtualizationBasedSecurity**
<!-- ConfigureSystemGuardLaunch-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSystemGuardLaunch-Examples-End -->
<!--SupportedSKUs-->
<!-- ConfigureSystemGuardLaunch-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- EnableVirtualizationBasedSecurity-Begin -->
## EnableVirtualizationBasedSecurity
<!-- EnableVirtualizationBasedSecurity-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- EnableVirtualizationBasedSecurity-Applicability-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- EnableVirtualizationBasedSecurity-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity
```
<!-- EnableVirtualizationBasedSecurity-OmaUri-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- EnableVirtualizationBasedSecurity-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies whether Virtualization Based Security is enabled.
> [!div class = "checklist"]
> * Device
Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices.
<hr/>
Virtualization Based Protection of Code Integrity
<!--/Scope-->
<!--Description-->
Turns on virtualization based security(VBS) at the next reboot. Virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP path: *System/Device Guard*
- GP ADMX file name: *DeviceGuard.admx*
The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the "Enabled without lock" option.
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
- 0 (default) - disable virtualization based security.
- 1 - enable virtualization based security.
The "Enabled without lock" option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.
<!--/SupportedValues-->
<!--/Policy-->
The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
<hr/>
The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility.
<!--Policy-->
<a href="" id="deviceguard-lsacfgflags"></a>**DeviceGuard/LsaCfgFlags**
Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible.
<!--SupportedSKUs-->
Credential Guard
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials.
For Windows 11 21H2 and earlier, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option. For later versions, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option or was "Not Configured".
<!--/SupportedSKUs-->
<hr/>
The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
The "Enabled without lock" option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).
> [!div class = "checklist"]
> * Device
For Windows 11 21H2 and earlier, the "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. For later versions, if there is no current setting in the registry, the "Not Configured" option will enable Credential Guard without UEFI lock.
<hr/>
Secure Launch
<!--/Scope-->
<!--Description-->
This setting sets the configuration of Secure Launch to secure the boot chain.
The "Not Configured" setting is the default, and allows configuration of the feature by Administrative users.
The "Enabled" option turns on Secure Launch on supported hardware.
The "Disabled" option turns off Secure Launch, regardless of hardware support.
Kernel-mode Hardware-enforced Stack Protection
This setting enables Hardware-enforced Stack Protection for kernel-mode code. When this security feature is enabled, kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered.
This security feature has the following prerequisites:
1) The CPU hardware supports hardware-based shadow stacks.
2) Virtualization Based Protection of Code Integrity is enabled.
If either prerequisite is not met, this feature will not be enabled, even if an "Enabled" option is selected for this feature.
**Note** that selecting an "Enabled" option for this feature will not automatically enable Virtualization Based Protection of Code Integrity, that needs to be done separately.
Devices that enable this security feature must be running at least Windows 11 (Version 22H2).
The "Disabled" option turns off kernel-mode Hardware-enforced Stack Protection.
The "Enabled in audit mode" option enables kernel-mode Hardware-enforced Stack Protection in audit mode, where shadow stack violations are not fatal and will be logged to the system event log.
The "Enabled in enforcement mode" option enables kernel-mode Hardware-enforced Stack Protection in enforcement mode, where shadow stack violations are fatal.
The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
Warning: All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, refer to <https://go.microsoft.com/fwlink/?LinkId=2162953>.
<!-- EnableVirtualizationBasedSecurity-Description-End -->
<!-- EnableVirtualizationBasedSecurity-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableVirtualizationBasedSecurity-Editable-End -->
<!-- EnableVirtualizationBasedSecurity-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnableVirtualizationBasedSecurity-DFProperties-End -->
<!-- EnableVirtualizationBasedSecurity-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | disable virtualization based security. |
| 1 | enable virtualization based security. |
<!-- EnableVirtualizationBasedSecurity-AllowedValues-End -->
<!-- EnableVirtualizationBasedSecurity-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| Registry Value Name | EnableVirtualizationBasedSecurity |
| ADMX File Name | DeviceGuard.admx |
<!-- EnableVirtualizationBasedSecurity-GpMapping-End -->
<!-- EnableVirtualizationBasedSecurity-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableVirtualizationBasedSecurity-Examples-End -->
<!-- EnableVirtualizationBasedSecurity-End -->
<!-- LsaCfgFlags-Begin -->
## LsaCfgFlags
<!-- LsaCfgFlags-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- LsaCfgFlags-Applicability-End -->
<!-- LsaCfgFlags-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags
```
<!-- LsaCfgFlags-OmaUri-End -->
<!-- LsaCfgFlags-Description-Begin -->
<!-- Description-Source-DDF -->
Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
<!-- LsaCfgFlags-Description-End -->
<!-- LsaCfgFlags-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LsaCfgFlags-Editable-End -->
<!-- LsaCfgFlags-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- LsaCfgFlags-DFProperties-End -->
<!-- LsaCfgFlags-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. |
| 1 | (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. |
| 2 | (Enabled without lock) Turns on Credential Guard without UEFI lock. |
<!-- LsaCfgFlags-AllowedValues-End -->
<!-- LsaCfgFlags-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Element Name | Credential Guard Configuration |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| ADMX File Name | DeviceGuard.admx |
<!-- LsaCfgFlags-GpMapping-End -->
<!-- LsaCfgFlags-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LsaCfgFlags-Examples-End -->
<!-- LsaCfgFlags-End -->
<!-- RequirePlatformSecurityFeatures-Begin -->
## RequirePlatformSecurityFeatures
<!-- RequirePlatformSecurityFeatures-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- RequirePlatformSecurityFeatures-Applicability-End -->
<!-- RequirePlatformSecurityFeatures-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures
```
<!-- RequirePlatformSecurityFeatures-OmaUri-End -->
<!-- RequirePlatformSecurityFeatures-Description-Begin -->
<!-- Description-Source-DDF -->
Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
<!-- RequirePlatformSecurityFeatures-Description-End -->
<!-- RequirePlatformSecurityFeatures-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
<!-- RequirePlatformSecurityFeatures-Editable-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP element: *CredentialIsolationDrop*
- GP path: *System/Device Guard*
- GP ADMX file name: *DeviceGuard.admx*
<!-- RequirePlatformSecurityFeatures-DFProperties-Begin -->
**Description framework properties**:
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- RequirePlatformSecurityFeatures-DFProperties-End -->
- 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock.
- 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock.
<!-- RequirePlatformSecurityFeatures-AllowedValues-Begin -->
**Allowed values**:
<!--/SupportedValues-->
<!--/Policy-->
| Value | Description |
|:--|:--|
| 1 (Default) | Turns on VBS with Secure Boot. |
| 3 | Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. |
<!-- RequirePlatformSecurityFeatures-AllowedValues-End -->
<hr/>
<!-- RequirePlatformSecurityFeatures-GpMapping-Begin -->
**Group policy mapping**:
<!--Policy-->
<a href="" id="deviceguard-requireplatformsecurityfeatures"></a>**DeviceGuard/RequirePlatformSecurityFeatures**
| Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Element Name | Select Platform Security Level |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| ADMX File Name | DeviceGuard.admx |
<!-- RequirePlatformSecurityFeatures-GpMapping-End -->
<!--SupportedSKUs-->
<!-- RequirePlatformSecurityFeatures-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequirePlatformSecurityFeatures-Examples-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- RequirePlatformSecurityFeatures-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- DeviceGuard-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- DeviceGuard-CspMoreInfo-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- DeviceGuard-End -->
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This setting specifies the platform security level at the next reboot. Value type is integer.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP element: *RequirePlatformSecurityFeaturesDrop*
- GP path: *System/Device Guard*
- GP ADMX file name: *DeviceGuard.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 1 (default) - Turns on VBS with Secure Boot.
- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

289
windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
View File

@ -1,189 +1,200 @@
---
title: Policy CSP - DeviceHealthMonitoring
description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft.
title: DeviceHealthMonitoring Policy CSP
description: Learn more about the DeviceHealthMonitoring Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 12/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- DeviceHealthMonitoring-Begin -->
# Policy CSP - DeviceHealthMonitoring
<!-- DeviceHealthMonitoring-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DeviceHealthMonitoring-Editable-End -->
<!-- AllowDeviceHealthMonitoring-Begin -->
## AllowDeviceHealthMonitoring
<hr/>
<!-- AllowDeviceHealthMonitoring-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- AllowDeviceHealthMonitoring-Applicability-End -->
<!--Policies-->
## DeviceHealthMonitoring policies
<!-- AllowDeviceHealthMonitoring-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring
```
<!-- AllowDeviceHealthMonitoring-OmaUri-End -->
<dl>
<dd>
<a href="#devicehealthmonitoring-allowdevicehealthmonitoring">DeviceHealthMonitoring/AllowDeviceHealthMonitoring</a>
</dd>
<dd>
<a href="#devicehealthmonitoring-configdevicehealthmonitoringscope">DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope</a>
</dd>
<dd>
<a href="#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination">DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination</a>
</dd>
</dl>
<!-- AllowDeviceHealthMonitoring-Description-Begin -->
<!-- Description-Source-DDF -->
Enable/disable 4Nines device health monitoring on devices.
<!-- AllowDeviceHealthMonitoring-Description-End -->
<!-- AllowDeviceHealthMonitoring-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowDeviceHealthMonitoring-Editable-End -->
<hr/>
<!-- AllowDeviceHealthMonitoring-DFProperties-Begin -->
**Description framework properties**:
<!--Policy-->
<a href="" id="devicehealthmonitoring-allowdevicehealthmonitoring"></a>**DeviceHealthMonitoring/AllowDeviceHealthMonitoring**
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowDeviceHealthMonitoring-DFProperties-End -->
<!--SupportedSKUs-->
<!-- AllowDeviceHealthMonitoring-AllowedValues-Begin -->
**Allowed values**:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
| Value | Description |
|:--|:--|
| 1 | The DeviceHealthMonitoring connection is enabled. |
| 0 (Default) | The DeviceHealthMonitoring connection is disabled. |
<!-- AllowDeviceHealthMonitoring-AllowedValues-End -->
<!-- AllowDeviceHealthMonitoring-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowDeviceHealthMonitoring-Examples-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- AllowDeviceHealthMonitoring-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- ConfigDeviceHealthMonitoringScope-Begin -->
## ConfigDeviceHealthMonitoringScope
> [!div class = "checklist"]
> * Device
<!-- ConfigDeviceHealthMonitoringScope-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- ConfigDeviceHealthMonitoringScope-Applicability-End -->
<hr/>
<!-- ConfigDeviceHealthMonitoringScope-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope
```
<!-- ConfigDeviceHealthMonitoringScope-OmaUri-End -->
<!--/Scope-->
<!--Description-->
DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it.
<!-- ConfigDeviceHealthMonitoringScope-Description-Begin -->
<!-- Description-Source-DDF -->
If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored.
<!-- ConfigDeviceHealthMonitoringScope-Description-End -->
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
<!-- ConfigDeviceHealthMonitoringScope-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringScope-Editable-End -->
- 1 -The DeviceHealthMonitoring connection is enabled.
- 0 - (default)—The DeviceHealthMonitoring connection is disabled.
<!-- ConfigDeviceHealthMonitoringScope-DFProperties-Begin -->
**Description framework properties**:
<!--/SupportedValues-->
<!--Example-->
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringScope_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- ConfigDeviceHealthMonitoringScope-DFProperties-End -->
<!--/Example-->
<!--Validation-->
<!-- ConfigDeviceHealthMonitoringScope-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringScope-Examples-End -->
<!--/Validation-->
<!--/Policy-->
<!-- ConfigDeviceHealthMonitoringScope-End -->
<hr/>
<!-- ConfigDeviceHealthMonitoringServiceInstance-Begin -->
## ConfigDeviceHealthMonitoringServiceInstance
<!--Policy-->
<a href="" id="devicehealthmonitoring-configdevicehealthmonitoringscope"></a>**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope**
<!-- ConfigDeviceHealthMonitoringServiceInstance-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- ConfigDeviceHealthMonitoringServiceInstance-Applicability-End -->
<!--SupportedSKUs-->
<!-- ConfigDeviceHealthMonitoringServiceInstance-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringServiceInstance
```
<!-- ConfigDeviceHealthMonitoringServiceInstance-OmaUri-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- ConfigDeviceHealthMonitoringServiceInstance-Description-Begin -->
<!-- Description-Source-DDF -->
If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which service instance to which events are to be uploaded.
<!-- ConfigDeviceHealthMonitoringServiceInstance-Description-End -->
<!-- ConfigDeviceHealthMonitoringServiceInstance-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringServiceInstance-Editable-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- ConfigDeviceHealthMonitoringServiceInstance-DFProperties-Begin -->
**Description framework properties**:
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringServiceInstance_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- ConfigDeviceHealthMonitoringServiceInstance-DFProperties-End -->
> [!div class = "checklist"]
> * Device
<!-- ConfigDeviceHealthMonitoringServiceInstance-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringServiceInstance-Examples-End -->
<hr/>
<!-- ConfigDeviceHealthMonitoringServiceInstance-End -->
<!--/Scope-->
<!--Description-->
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection.
IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
<!-- ConfigDeviceHealthMonitoringUploadDestination-Begin -->
## ConfigDeviceHealthMonitoringUploadDestination
<!-- ConfigDeviceHealthMonitoringUploadDestination-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- ConfigDeviceHealthMonitoringUploadDestination-Applicability-End -->
<!--/Description-->
<!--SupportedValues-->
<!-- ConfigDeviceHealthMonitoringUploadDestination-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination
```
<!-- ConfigDeviceHealthMonitoringUploadDestination-OmaUri-End -->
<!--/SupportedValues-->
<!--Example-->
<!-- ConfigDeviceHealthMonitoringUploadDestination-Description-Begin -->
<!-- Description-Source-DDF -->
If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded.
<!-- ConfigDeviceHealthMonitoringUploadDestination-Description-End -->
<!--/Example-->
<!--Validation-->
<!-- ConfigDeviceHealthMonitoringUploadDestination-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringUploadDestination-Editable-End -->
<!--/Validation-->
<!--/Policy-->
<!-- ConfigDeviceHealthMonitoringUploadDestination-DFProperties-Begin -->
**Description framework properties**:
<hr/>
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringUploadDestination_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- ConfigDeviceHealthMonitoringUploadDestination-DFProperties-End -->
<!--Policy-->
<a href="" id="devicehealthmonitoring-configdevicehealthmonitoringuploaddestination"></a>**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination**
<!-- ConfigDeviceHealthMonitoringUploadDestination-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringUploadDestination-Examples-End -->
<!--SupportedSKUs-->
<!-- ConfigDeviceHealthMonitoringUploadDestination-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- DeviceHealthMonitoring-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- DeviceHealthMonitoring-CspMoreInfo-End -->
<!-- DeviceHealthMonitoring-End -->
<!--/SupportedSKUs-->
<hr/>
## Related articles
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios.
In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked.
Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)
[Policy configuration service provider](policy-configuration-service-provider.md)

980
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

File diff suppressed because it is too large Load Diff