deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

devicelock display dmaguard

Browse Source
This commit is contained in:
Liz Long 2022-12-29 15:34:32 -05:00
parent 03f55e0b8e
commit 38b9060033
3 changed files with 1478 additions and 1043 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1911
windows/client-management/mdm/policy-csp-devicelock.md
View File

File diff suppressed because it is too large Load Diff

464
windows/client-management/mdm/policy-csp-display.md
View File

@ -1,118 +1,105 @@
---
title: Policy CSP - Display
description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications.
title: Display Policy CSP
description: Learn more about the Display Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 12/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- Display-Begin -->
# Policy CSP - Display
<hr/>
<!-- Display-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Display-Editable-End -->
<!--Policies-->
## Display policies
<!-- DisablePerProcessDpiForApps-Begin -->
## DisablePerProcessDpiForApps
<dl>
<dd>
<a href="#display-disableperprocessdpiforapps">Display/DisablePerProcessDpiForApps</a>
</dd>
<dd>
<a href="#display-enableperprocessdpi">Display/EnablePerProcessDpi</a>
</dd>
<dd>
<a href="#display-enableperprocessdpiforapps">Display/EnablePerProcessDpiForApps</a>
</dd>
<dd>
<a href="#display-turnoffgdidpiscalingforapps">Display/TurnOffGdiDPIScalingForApps</a>
</dd>
<dd>
<a href="#display-turnongdidpiscalingforapps">Display/TurnOnGdiDPIScalingForApps</a>
</dd>
</dl>
<!-- DisablePerProcessDpiForApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- DisablePerProcessDpiForApps-Applicability-End -->
<!-- DisablePerProcessDpiForApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Display/DisablePerProcessDpiForApps
```
<!-- DisablePerProcessDpiForApps-OmaUri-End -->
<hr/>
<!--Policy-->
<a href="" id="display-disableperprocessdpiforapps"></a>**Display/DisablePerProcessDpiForApps**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!-- DisablePerProcessDpiForApps-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
<!-- DisablePerProcessDpiForApps-Description-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Configure Per-Process System DPI settings*
- GP name: *DisplayPerProcessSystemDpiSettings*
- GP element: *DisplayDisablePerProcessSystemDpiSettings*
- GP path: *System/Display*
- GP ADMX file name: *Display.admx*
<!-- DisablePerProcessDpiForApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisablePerProcessDpiForApps-Editable-End -->
<!--/ADMXMapped-->
<!--/Policy-->
<!-- DisablePerProcessDpiForApps-DFProperties-Begin -->
**Description framework properties**:
<hr/>
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- DisablePerProcessDpiForApps-DFProperties-End -->
<!--Policy-->
<a href="" id="display-enableperprocessdpi"></a>**Display/EnablePerProcessDpi**
<!-- DisablePerProcessDpiForApps-GpMapping-Begin -->
**Group policy mapping**:
<!--SupportedSKUs-->
| Name | Value |
|:--|:--|
| Name | DisplayPerProcessSystemDpiSettings |
| Friendly Name | Configure Per-Process System DPI settings |
| Element Name | Disable Per-Process System DPI for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. |
| Location | Computer and User Configuration |
| Path | System > Display |
| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
| ADMX File Name | Display.admx |
<!-- DisablePerProcessDpiForApps-GpMapping-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- DisablePerProcessDpiForApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisablePerProcessDpiForApps-Examples-End -->
<!-- DisablePerProcessDpiForApps-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- EnablePerProcessDpi-Begin -->
## EnablePerProcessDpi
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- EnablePerProcessDpi-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- EnablePerProcessDpi-Applicability-End -->
> [!div class = "checklist"]
> * User
> * Device
<!-- EnablePerProcessDpi-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpi
```
<hr/>
```Device
./Device/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpi
```
<!-- EnablePerProcessDpi-OmaUri-End -->
<!--/Scope-->
<!--Description-->
<!-- EnablePerProcessDpi-Description-Begin -->
<!-- Description-Source-DDF -->
Enable or disable Per-Process System DPI for all applications.
<!-- EnablePerProcessDpi-Description-End -->
<!-- EnablePerProcessDpi-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Per Process System DPI is an application compatibility feature for desktop applications that don't render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that haven't been updated to display properly in this scenario will be blurry until you sign out and back in to Windows.
When you enable this policy some blurry applications will be crisp after they're restarted, without requiring the user to sign out and back in to Windows.
@ -126,100 +113,122 @@ Per Process System DPI won't work for all applications as some older desktop app
In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled.
Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or don't configure this setting, Per Process System DPI won't apply to any processes on the system.
<!-- EnablePerProcessDpi-Editable-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Configure Per-Process System DPI settings*
- GP name: *DisplayPerProcessSystemDpiSettings*
- GP element: *DisplayGlobalPerProcessSystemDpiSettings*
- GP path: *System/Display*
- GP ADMX file name: *Display.admx*
<!-- EnablePerProcessDpi-DFProperties-Begin -->
**Description framework properties**:
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
<!-- EnablePerProcessDpi-DFProperties-End -->
- 0 - Disable.
- 1 - Enable.
<!-- EnablePerProcessDpi-AllowedValues-Begin -->
**Allowed values**:
<!--/SupportedValues-->
<!--/Policy-->
| Value | Description |
|:--|:--|
| 0 | Disable. |
| 1 | Enable. |
<!-- EnablePerProcessDpi-AllowedValues-End -->
<hr/>
<!-- EnablePerProcessDpi-GpMapping-Begin -->
**Group policy mapping**:
<!--Policy-->
<a href="" id="display-enableperprocessdpiforapps"></a>**Display/EnablePerProcessDpiForApps**
| Name | Value |
|:--|:--|
| Name | DisplayPerProcessSystemDpiSettings |
| Friendly Name | Configure Per-Process System DPI settings |
| Element Name | Enable or disable Per-Process System DPI for all applications. |
| Location | Computer and User Configuration |
| Path | System > Display |
| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
| ADMX File Name | Display.admx |
<!-- EnablePerProcessDpi-GpMapping-End -->
<!--SupportedSKUs-->
<!-- EnablePerProcessDpi-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnablePerProcessDpi-Examples-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- EnablePerProcessDpi-End -->
<!-- EnablePerProcessDpiForApps-Begin -->
## EnablePerProcessDpiForApps
<!--/SupportedSKUs-->
<hr/>
<!-- EnablePerProcessDpiForApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- EnablePerProcessDpiForApps-Applicability-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- EnablePerProcessDpiForApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpiForApps
```
<!-- EnablePerProcessDpiForApps-OmaUri-End -->
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!-- EnablePerProcessDpiForApps-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
<!-- EnablePerProcessDpiForApps-Description-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Configure Per-Process System DPI settings*
- GP name: *DisplayPerProcessSystemDpiSettings*
- GP element: *DisplayEnablePerProcessSystemDpiSettings*
- GP path: *System/Display*
- GP ADMX file name: *Display.admx*
<!-- EnablePerProcessDpiForApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnablePerProcessDpiForApps-Editable-End -->
<!--/ADMXMapped-->
<!--/Policy-->
<!-- EnablePerProcessDpiForApps-DFProperties-Begin -->
**Description framework properties**:
<hr/>
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- EnablePerProcessDpiForApps-DFProperties-End -->
<!--Policy-->
<a href="" id="display-turnoffgdidpiscalingforapps"></a>**Display/TurnOffGdiDPIScalingForApps**
<!-- EnablePerProcessDpiForApps-GpMapping-Begin -->
**Group policy mapping**:
<!--SupportedSKUs-->
| Name | Value |
|:--|:--|
| Name | DisplayPerProcessSystemDpiSettings |
| Friendly Name | Configure Per-Process System DPI settings |
| Element Name | Enable Per-Process System DPI for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. |
| Location | Computer and User Configuration |
| Path | System > Display |
| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
| ADMX File Name | Display.admx |
<!-- EnablePerProcessDpiForApps-GpMapping-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- EnablePerProcessDpiForApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnablePerProcessDpiForApps-Examples-End -->
<!-- EnablePerProcessDpiForApps-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- TurnOffGdiDPIScalingForApps-Begin -->
## TurnOffGdiDPIScalingForApps
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- TurnOffGdiDPIScalingForApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- TurnOffGdiDPIScalingForApps-Applicability-End -->
> [!div class = "checklist"]
> * Device
<!-- TurnOffGdiDPIScalingForApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Display/TurnOffGdiDPIScalingForApps
```
<!-- TurnOffGdiDPIScalingForApps-OmaUri-End -->
<hr/>
<!-- TurnOffGdiDPIScalingForApps-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
<!-- TurnOffGdiDPIScalingForApps-Description-End -->
<!--/Scope-->
<!--Description-->
<!-- TurnOffGdiDPIScalingForApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware.
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
@ -229,58 +238,68 @@ If you enable this policy setting, GDI DPI Scaling is turned off for all applica
If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off.
<!-- TurnOffGdiDPIScalingForApps-Editable-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Turn off GdiDPIScaling for applications*
- GP name: *DisplayTurnOffGdiDPIScaling*
- GP element: *DisplayTurnOffGdiDPIScalingPrompt*
- GP path: *System/Display*
- GP ADMX file name: *Display.admx*
<!-- TurnOffGdiDPIScalingForApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- TurnOffGdiDPIScalingForApps-DFProperties-End -->
<!-- TurnOffGdiDPIScalingForApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisplayTurnOffGdiDPIScaling |
| Friendly Name | Turn off GdiDPIScaling for applications |
| Element Name | Disable GDI DPI Scaling for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. |
| Location | Computer Configuration |
| Path | System > Display |
| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
| ADMX File Name | Display.admx |
<!-- TurnOffGdiDPIScalingForApps-GpMapping-End -->
<!-- TurnOffGdiDPIScalingForApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**Validate**:
<!--/ADMXMapped-->
<!--Validation-->
To validate on Desktop, do the following tasks:
1. Configure the setting for an app, which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
2. Run the app and observe blurry text.
<!--/Validation-->Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address.
<!--/Policy-->
<!-- TurnOffGdiDPIScalingForApps-Examples-End -->
<hr/>
<!-- TurnOffGdiDPIScalingForApps-End -->
<!--Policy-->
<a href="" id="display-turnongdidpiscalingforapps"></a>**Display/TurnOnGdiDPIScalingForApps**
<!-- TurnOnGdiDPIScalingForApps-Begin -->
## TurnOnGdiDPIScalingForApps
<!--SupportedSKUs-->
<!-- TurnOnGdiDPIScalingForApps-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
<!-- TurnOnGdiDPIScalingForApps-Applicability-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- TurnOnGdiDPIScalingForApps-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Display/TurnOnGdiDPIScalingForApps
```
<!-- TurnOnGdiDPIScalingForApps-OmaUri-End -->
<!-- TurnOnGdiDPIScalingForApps-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
<!-- TurnOnGdiDPIScalingForApps-Description-End -->
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware.
<!-- TurnOnGdiDPIScalingForApps-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
@ -288,31 +307,50 @@ If you enable this policy setting, GDI DPI Scaling is turned on for all legacy a
If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off.
<!-- TurnOnGdiDPIScalingForApps-Editable-End -->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Turn on GdiDPIScaling for applications*
- GP name: *DisplayTurnOnGdiDPIScaling*
- GP element: *DisplayTurnOnGdiDPIScalingPrompt*
- GP path: *System/Display*
- GP ADMX file name: *Display.admx*
<!-- TurnOnGdiDPIScalingForApps-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `;`) |
<!-- TurnOnGdiDPIScalingForApps-DFProperties-End -->
<!-- TurnOnGdiDPIScalingForApps-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisplayTurnOnGdiDPIScaling |
| Friendly Name | Turn on GdiDPIScaling for applications |
| Element Name | Enable GDI DPI Scaling for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. |
| Location | Computer Configuration |
| Path | System > Display |
| Registry Key Name | Software\Policies\Microsoft\Windows\Display |
| ADMX File Name | Display.admx |
<!-- TurnOnGdiDPIScalingForApps-GpMapping-End -->
<!-- TurnOnGdiDPIScalingForApps-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
**Validate**:
<!--/ADMXMapped-->
<!--Validation-->
To validate on Desktop, do the following tasks:
1. Configure the setting for an app, which uses GDI.
2. Run the app and observe crisp text.
<!-- TurnOnGdiDPIScalingForApps-Examples-End -->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!-- TurnOnGdiDPIScalingForApps-End -->
<!-- Display-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Display-CspMoreInfo-End -->
<!-- Display-End -->
<!--/Policies-->
## Related topics
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

138
windows/client-management/mdm/policy-csp-dmaguard.md
View File

@ -1,101 +1,101 @@
---
title: Policy CSP - DmaGuard
description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices.
title: DmaGuard Policy CSP
description: Learn more about the DmaGuard Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 12/29/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- DmaGuard-Begin -->
# Policy CSP - DmaGuard
<hr/>
<!-- DmaGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DmaGuard-Editable-End -->
<!--Policies-->
## DmaGuard policies
<!-- DeviceEnumerationPolicy-Begin -->
## DeviceEnumerationPolicy
<dl>
<dd>
<a href="#dmaguard-deviceenumerationpolicy">DmaGuard/DeviceEnumerationPolicy</a>
</dd>
</dl>
<!-- DeviceEnumerationPolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
<!-- DeviceEnumerationPolicy-Applicability-End -->
<!-- DeviceEnumerationPolicy-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy
```
<!-- DeviceEnumerationPolicy-OmaUri-End -->
<hr/>
<!-- DeviceEnumerationPolicy-Description-Begin -->
<!-- Description-Source-ADMX -->
Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system.
<!--Policy-->
<a href="" id="dmaguard-deviceenumerationpolicy"></a>**DmaGuard/DeviceEnumerationPolicy**
**Note**: this policy does not apply to 1394, PCMCIA or ExpressCard devices.
<!-- DeviceEnumerationPolicy-Description-End -->
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!-- DeviceEnumerationPolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers), device memory isolation and sandboxing.
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
<!-- DeviceEnumerationPolicy-Editable-End -->
> [!NOTE]
> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.
<!-- DeviceEnumerationPolicy-DFProperties-Begin -->
**Description framework properties**:
The following are the supported values:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- DeviceEnumerationPolicy-DFProperties-End -->
0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time.
<!-- DeviceEnumerationPolicy-AllowedValues-Begin -->
**Allowed values**:
1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen.
| Value | Description |
|:--|:--|
| 0 | Block all (Most restrictive) |
| 1 (Default) | Only after log in/screen unlock |
| 2 | Allow all (Least restrictive) |
<!-- DeviceEnumerationPolicy-AllowedValues-End -->
2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time
<!-- DeviceEnumerationPolicy-GpMapping-Begin -->
**Group policy mapping**:
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Enumeration policy for external devices incompatible with Kernel DMA Protection*
- GP name: *DmaGuardEnumerationPolicy*
- GP path: *System/Kernel DMA Protection*
- GP ADMX file name: *dmaguard.admx*
| Name | Value |
|:--|:--|
| Name | DmaGuardEnumerationPolicy |
| Friendly Name | Enumeration policy for external devices incompatible with Kernel DMA Protection |
| Location | Computer Configuration |
| Path | System > Kernel DMA Protection |
| Registry Key Name | Software\Policies\Microsoft\Windows\Kernel DMA Protection |
| ADMX File Name | DmaGuard.admx |
<!-- DeviceEnumerationPolicy-GpMapping-End -->
<!--/ADMXMapped-->
<!--SupportedValues-->
<!-- DeviceEnumerationPolicy-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DeviceEnumerationPolicy-Examples-End -->
<!--/SupportedValues-->
<!--Example-->
<!-- DeviceEnumerationPolicy-End -->
<!--/Example-->
<!--Validation-->
<!-- DmaGuard-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- DmaGuard-CspMoreInfo-End -->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!-- DmaGuard-End -->
<!--/Policies-->
## Related topics
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)