From 4000c1fba7276c50329c2bbb528012142ec36c30 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Thu, 2 Jun 2022 13:48:16 +0530
Subject: [PATCH] CSP Improvement-09
---
.../mdm/policy-csp-deliveryoptimization.md | 4 +---
.../mdm/policy-csp-desktop.md | 5 ++++-
.../mdm/policy-csp-deviceguard.md | 10 +++++++---
.../mdm/policy-csp-devicehealthmonitoring.md | 14 ++++++++++----
.../mdm/policy-csp-deviceinstallation.md | 18 +++++++++++++-----
.../mdm/policy-csp-devicelock.md | 13 +++++++------
.../mdm/policy-csp-display.md | 13 +++++++------
.../mdm/policy-csp-dmaguard.md | 13 +++++++------
.../client-management/mdm/policy-csp-eap.md | 8 +++++---
9 files changed, 61 insertions(+), 37 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 1584cc9211..975baa5384 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -21,8 +21,6 @@ manager: dansimp
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
@@ -817,7 +815,7 @@ ADMX Info:
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607.
-The default value is 259200 seconds (3 days).
+The default value is 259200 seconds (three days).
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 947f9373f2..4d3d97a6bd 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -63,7 +63,7 @@ manager: dansimp
-Prevents users from changing the path to their profile folders.
+This policy setting prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
@@ -87,3 +87,6 @@ ADMX Info:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index 0629edd5f5..09369cf747 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -127,7 +127,7 @@ ADMX Info:
-Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
+Turns on virtualization based security(VBS) at the next reboot. Virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
@@ -228,7 +228,7 @@ The following list shows the supported values:
-Specifies the platform security level at the next reboot. Value type is integer.
+This setting specifies the platform security level at the next reboot. Value type is integer.
@@ -252,4 +252,8 @@ The following list shows the supported values:
-
\ No newline at end of file
+
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 31ab6fa6d5..65ccf2ff72 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -70,8 +70,8 @@ DeviceHealthMonitoring is an opt-in health monitoring connection between the dev
The following list shows the supported values:
-- 1—The DeviceHealthMonitoring connection is enabled.
-- 0 (default)—The DeviceHealthMonitoring connection is disabled.
+- 1 -The DeviceHealthMonitoring connection is enabled.
+- 0 - (default)—The DeviceHealthMonitoring connection is disabled.
@@ -159,9 +159,12 @@ IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to
-This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
+This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
+
The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios.
-In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. Only configure this policy manually if explicitly instructed to do so by a Microsoft device monitoring service.
+In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked.
+
+Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service.
@@ -181,3 +184,6 @@ In most cases, an IT Pro doesn't need to define this policy. Instead, it's expec
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 42835ecf22..ee81f379cf 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -94,10 +94,12 @@ This policy setting allows you to specify a list of plug-and-play hardware IDs a
> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
-- Prevent installation of devices that match these device IDs
-- Prevent installation of devices that match any of these device instance IDs
+
+- Prevent installation of devices that match these device IDs.
+- Prevent installation of devices that match any of these device instance IDs.
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
+
> [!NOTE]
> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
@@ -197,7 +199,8 @@ This policy setting allows you to specify a list of Plug and Play device instanc
> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
-- Prevent installation of devices that match any of these device instance IDs
+
+- Prevent installation of devices that match any of these device instance IDs.
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
@@ -210,7 +213,6 @@ If you enable this policy setting on a remote desktop server, the policy setting
If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
-
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
@@ -408,6 +410,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
Device instance IDs > Device IDs > Device setup class > Removable devices
**Device instance IDs**
+
- Prevent installation of devices using drivers that match these device instance IDs.
- Allow installation of devices using drivers that match these device instance IDs.
@@ -463,13 +466,13 @@ ADMX Info:
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
-
```txt
>>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
+
You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
:::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image.":::
@@ -819,6 +822,7 @@ For example, this custom profile prevents installation of devices with matching
To prevent installation of devices with matching device instance IDs by using custom profile in Intune:
+
1. Locate the device instance ID.
2. Replace `&` in the device instance IDs with `&`.
For example:
@@ -938,3 +942,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 9a2ac9d034..39fa89a03f 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - DeviceLock
-
-
@@ -73,7 +71,7 @@ manager: dansimp
> [!Important]
-> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
+> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
**DeviceLock/AllowIdleReturnWithoutPassword**
@@ -156,7 +154,6 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
@@ -824,7 +821,7 @@ GP Info:
-Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.
+Disables the lock screen camera toggle-switch in PC Settings and prevents a camera from being invoked on the lock screen.
By default, users can enable invocation of an available camera on the lock screen.
@@ -878,7 +875,7 @@ ADMX Info:
-Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
+Disables the lock screen slideshow settings in PC Settings and prevents a slide show from playing on the lock screen.
By default, users can enable a slide show that will run after they lock the machine.
@@ -907,3 +904,7 @@ ADMX Info:
+
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 918e69d004..25318d988f 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Display
-
-
@@ -230,7 +228,7 @@ If you enable this policy setting, GDI DPI Scaling is turned off for all applica
If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
-If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off.
@@ -289,7 +287,7 @@ If you enable this policy setting, GDI DPI Scaling is turned on for all legacy a
If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off.
@@ -304,8 +302,8 @@ ADMX Info:
To validate on Desktop, do the following tasks:
-1. Configure the setting for an app, which uses GDI.
-2. Run the app and observe crisp text.
+1. Configure the setting for an app, which uses GDI.
+2. Run the app and observe crisp text.
@@ -315,3 +313,6 @@ To validate on Desktop, do the following tasks:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index a92e445ad0..648380d02b 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - DmaGuard
-
@@ -57,20 +56,20 @@ manager: dansimp
-This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing.
+This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers), device memory isolation and sandboxing.
-Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
+Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
> [!NOTE]
> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.
-Supported values:
+The following are the supported values:
0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time.
-1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen
+1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen.
2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time
@@ -95,6 +94,8 @@ ADMX Info:
+
+## Related topics
-
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md
index 445cc1cca1..94c84c45ca 100644
--- a/windows/client-management/mdm/policy-csp-eap.md
+++ b/windows/client-management/mdm/policy-csp-eap.md
@@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - EAP
-
@@ -57,7 +56,7 @@ manager: dansimp
-This policy setting is added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication.
+Added in Windows 10, version 21H1. This policy setting allows or disallows use of TLS 1.3 during EAP client authentication.
@@ -70,8 +69,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Use of TLS version 1.3 is not allowed for authentication.
+- 0 – Use of TLS version 1.3 is not allowed for authentication.
- 1 (default) – Use of TLS version 1.3 is allowed for authentication.
@@ -82,3 +81,6 @@ The following list shows the supported values:
+## Related topics
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file