From 66db42db3d07a9cd58b9f7fc582a4fd5b90ac42f Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 8 Sep 2021 17:27:59 +0530 Subject: [PATCH] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../policy-configuration-service-provider.md | 1 - .../mdm/policy-csp-admx-deviceguard.md | 119 ++++++++++++++++++ 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-deviceguard.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index ce9b2705ba..cb9e4b2fbd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -162,6 +162,7 @@ ms.date: 10/08/2020 - [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny) - [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore) - [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser) +- [ADMX_DeviceGuard/ConfigCIPolicy](./policy-csp-admx-deviceguard.md#admx-deviceguard-configcipolicy) - [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips) - [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 36b9ca5353..895c4bf6e4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -669,7 +669,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- ### ADMX_DeviceInstallation policies
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md new file mode 100644 index 0000000000..079455128a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -0,0 +1,119 @@ +--- +title: Policy CSP - ADMX_DeviceGuard +description: Policy CSP - ADMX_DeviceGuard +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 09/08/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DeviceGuard +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_DeviceGuard policies + +
+
+ ADMX_DeviceGuard/ConfigCIPolicy +
+
+ + +
+ + +**ADMX_DeviceGuard/ConfigCIPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine. + +If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. + +To enable this policy the machine must be rebooted. +The file path must be either a UNC path (for example, `\\ServerName\ShareName\SIPolicy.p7b`), +or a locally valid path (for example, `C:\FolderName\SIPolicy.p7b)`. + +The local machine account (LOCAL SYSTEM) must have access permission to the policy file. +If using a signed and protected policy then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either: +1. First update the policy to a non-protected policy and then disable the setting. +2. Disable the setting and then remove the policy from each computer, with a physically present user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Deploy Windows Defender Application Control* +- GP name: *ConfigCIPolicy* +- GP path: *Windows Components/DeviceGuard!DeployConfigCIPolicy* +- GP ADMX file name: *DeviceGuard.admx* + + + + +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + +