deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

CSP Improvement-09

Browse Source
This commit is contained in:
Alekhya Jupudi 2022-06-02 13:48:16 +05:30
parent 1cb2f2acf9
commit 4000c1fba7
9 changed files with 61 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -21,8 +21,6 @@ manager: dansimp
> >
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <hr/>
<!--Policies--> <!--Policies-->
@ -817,7 +815,7 @@ ADMX Info:
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607.
The default value is 259200 seconds (3 days). The default value is 259200 seconds (three days).
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->

5
windows/client-management/mdm/policy-csp-desktop.md
View File

@ -63,7 +63,7 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Prevents users from changing the path to their profile folders. This policy setting prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
@ -87,3 +87,6 @@ ADMX Info:
<!--/Policies--> <!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

8
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -127,7 +127,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Turns on virtualization based security(VBS) at the next reboot. Virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
@ -228,7 +228,7 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Specifies the platform security level at the next reboot. Value type is integer. This setting specifies the platform security level at the next reboot. Value type is integer.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
@ -253,3 +253,7 @@ The following list shows the supported values:
<!--/Policies--> <!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

12
windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
View File

@ -70,8 +70,8 @@ DeviceHealthMonitoring is an opt-in health monitoring connection between the dev
<!--SupportedValues--> <!--SupportedValues-->
The following list shows the supported values: The following list shows the supported values:
- 1The DeviceHealthMonitoring connection is enabled. - 1 -The DeviceHealthMonitoring connection is enabled.
- 0 (default)—The DeviceHealthMonitoring connection is disabled. - 0 - (default)—The DeviceHealthMonitoring connection is disabled.
<!--/SupportedValues--> <!--/SupportedValues-->
<!--Example--> <!--Example-->
@ -160,8 +160,11 @@ IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios. The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios.
In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. Only configure this policy manually if explicitly instructed to do so by a Microsoft device monitoring service. In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked.
Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service.
<!--/Description--> <!--/Description-->
@ -181,3 +184,6 @@ In most cases, an IT Pro doesn't need to define this policy. Instead, it's expec
<!--/Policies--> <!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

18
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -94,10 +94,12 @@ This policy setting allows you to specify a list of plug-and-play hardware IDs a
> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. > This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
- Prevent installation of devices that match these device IDs
- Prevent installation of devices that match any of these device instance IDs - Prevent installation of devices that match these device IDs.
- Prevent installation of devices that match any of these device instance IDs.
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
> [!NOTE] > [!NOTE]
> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. > The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
@ -197,7 +199,8 @@ This policy setting allows you to specify a list of Plug and Play device instanc
> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. > This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
- Prevent installation of devices that match any of these device instance IDs
- Prevent installation of devices that match any of these device instance IDs.
If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
@ -210,7 +213,6 @@ If you enable this policy setting on a remote desktop server, the policy setting
If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
<!--/Description--> <!--/Description-->
@ -408,6 +410,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
Device instance IDs > Device IDs > Device setup class > Removable devices Device instance IDs > Device IDs > Device setup class > Removable devices
**Device instance IDs** **Device instance IDs**
- Prevent installation of devices using drivers that match these device instance IDs. - Prevent installation of devices using drivers that match these device instance IDs.
- Allow installation of devices using drivers that match these device instance IDs. - Allow installation of devices using drivers that match these device instance IDs.
@ -463,13 +466,13 @@ ADMX Info:
To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
```txt ```txt
>>> [Device Installation Restrictions Policy Check] >>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659 >>> Section start 2018/11/15 12:26:41.659
<<< Section end 2018/11/15 12:26:41.751 <<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS] <<< [Exit status: SUCCESS]
``` ```
You can also change the evaluation order of device installation policy settings by using a custom profile in Intune. You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
:::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image."::: :::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image.":::
@ -819,6 +822,7 @@ For example, this custom profile prevents installation of devices with matching
![Custom profile.](images/custom-profile-prevent-device-instance-ids.png) ![Custom profile.](images/custom-profile-prevent-device-instance-ids.png)
To prevent installation of devices with matching device instance IDs by using custom profile in Intune: To prevent installation of devices with matching device instance IDs by using custom profile in Intune:
1. Locate the device instance ID. 1. Locate the device instance ID.
2. Replace `&` in the device instance IDs with `&amp;`. 2. Replace `&` in the device instance IDs with `&amp;`.
For example: For example:
@ -938,3 +942,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
<!--/Policies--> <!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

11
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - DeviceLock # Policy CSP - DeviceLock
<hr/> <hr/>
<!--Policies--> <!--Policies-->
@ -73,7 +71,7 @@ manager: dansimp
<hr/> <hr/>
> [!Important] > [!Important]
> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
<!--Policy--> <!--Policy-->
<a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword** <a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**
@ -156,7 +154,6 @@ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For th
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
<!--/Description--> <!--/Description-->
@ -824,7 +821,7 @@ GP Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. Disables the lock screen camera toggle-switch in PC Settings and prevents a camera from being invoked on the lock screen.
By default, users can enable invocation of an available camera on the lock screen. By default, users can enable invocation of an available camera on the lock screen.
@ -907,3 +904,7 @@ ADMX Info:
<!--/Policies--> <!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

9
windows/client-management/mdm/policy-csp-display.md
View File

@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - Display # Policy CSP - Display
<hr/> <hr/>
<!--Policies--> <!--Policies-->
@ -230,7 +228,7 @@ If you enable this policy setting, GDI DPI Scaling is turned off for all applica
If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications. If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
@ -289,7 +287,7 @@ If you enable this policy setting, GDI DPI Scaling is turned on for all legacy a
If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
@ -315,3 +313,6 @@ To validate on Desktop, do the following tasks:
<!--/Policies--> <!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

15
windows/client-management/mdm/policy-csp-dmaguard.md
View File

@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - DmaGuard # Policy CSP - DmaGuard
<hr/> <hr/>
<!--Policies--> <!--Policies-->
@ -57,20 +56,20 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing. This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers), device memory isolation and sandboxing.
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
> [!NOTE] > [!NOTE]
> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. > This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.
Supported values: The following are the supported values:
0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time. 0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time.
1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen 1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen.
2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time 2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time
@ -95,6 +94,8 @@ ADMX Info:
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
<!--/Policies--> <!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

8
windows/client-management/mdm/policy-csp-eap.md
View File

@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - EAP # Policy CSP - EAP
<hr/> <hr/>
<!--Policies--> <!--Policies-->
@ -57,7 +56,7 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
This policy setting is added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication. Added in Windows 10, version 21H1. This policy setting allows or disallows use of TLS 1.3 during EAP client authentication.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
@ -70,8 +69,8 @@ ADMX Info:
<!--/ADMXMapped--> <!--/ADMXMapped-->
<!--SupportedValues--> <!--SupportedValues-->
The following list shows the supported values: The following list shows the supported values:
- 0 Use of TLS version 1.3 is not allowed for authentication.
- 0 Use of TLS version 1.3 is not allowed for authentication.
- 1 (default) Use of TLS version 1.3 is allowed for authentication. - 1 (default) Use of TLS version 1.3 is allowed for authentication.
<!--/SupportedValues--> <!--/SupportedValues-->
@ -82,3 +81,6 @@ The following list shows the supported values:
<!--/Policies--> <!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)