From 7415a8e65206ec48f05eaf9099b7ee31b64a255b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 19 Nov 2020 15:28:45 -0800 Subject: [PATCH] Added new policies --- windows/client-management/mdm/TOC.md | 2 + .../mdm/policies-in-policy-csp-admx-backed.md | 19 + .../policy-configuration-service-provider.md | 67 ++ .../mdm/policy-csp-admx-devicenstallation.md | 842 ++++++++++++++++++ .../mdm/policy-csp-admx-devicesetup.md | 635 +++++++++++++ 5 files changed, 1565 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-devicenstallation.md create mode 100644 windows/client-management/mdm/policy-csp-admx-devicesetup.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 98251b87fe..0e6ef2c11d 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -181,6 +181,8 @@ #### [ADMX_Cpls](policy-csp-admx-cpls.md) #### [ADMX_CredSsp](policy-csp-admx-credssp.md) #### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) +#### [ADMX_DeviceInstallation](policy-csp-admx-devicenstallation.md) +#### [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md) #### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) #### [ADMX_DnsClient](policy-csp-admx-dnsclient.md) #### [ADMX_DWM](policy-csp-admx-dwm.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 365e5a94e6..fe0e5fc17f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -76,6 +76,25 @@ ms.date: 10/08/2020 - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) - [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr) - [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff) +- [ADMX_DeviceInstallation/DeviceInstall_AllSigningEqual](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-deviceinstall-allsigningequal) +- [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall) +- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext) +- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext) +- [ADMX_DeviceInstallation/DeviceInstall_InstallTimeout](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-deviceinstall-installtimeout) +- [ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime) +- [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-deviceinstall-removable-deny) +- [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-deviceinstall-systemrestore) +- [ADMX_DeviceInstallation/DeviceManagement_RPCInterface_Allow](./policy-csp-admx-devicenstallation.md#admx-devicemanagement-rpcinterface-allow) +- [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser) +- [ADMX_DeviceInstallation/DriverSigning](./policy-csp-admx-devicenstallation.md#admx-deviceinstallation-driversigning) +- [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips) +- [ADMX_DeviceSetup/DeviceInstall_GenericDriverSendToWER](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-genericdriversendtower) +- [ADMX_DeviceSetup/DeviceInstall_RequestAdditionalSoftwareSendToWER](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-requestadditionalsoftwaresendtower) +- [ADMX_DeviceSetup/DriverSearchPlaces](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces) +- [ADMX_DeviceSetup/DriverSearchPlaces_DontPromptForWindowsUpdate_1](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-dontpromptforwindowsupdate-1) +- [ADMX_DeviceSetup/DriverSearchPlaces_DontPromptForWindowsUpdate_2](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-dontpromptforwindowsupdate-2) +- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) +- [ADMX_DeviceSetup/DriverSearchPlaces_SearchServerConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchserverconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2) - [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6431d07b97..b1a2a67b23 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -377,6 +377,73 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_DeviceInstallation policies + +
+
+ ADMX_DeviceInstallation/DeviceInstall_AllSigningEqual +
+
+ ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall +
+
+ ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText +
+
+ ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText +
+
+ ADMX_DeviceInstallation/DeviceInstall_InstallTimeout +
+
+ ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime +
+
+ ADMX_DeviceInstallation/DeviceInstall_Removable_Deny +
+
+ ADMX_DeviceInstallation/DeviceInstall_SystemRestore +
+
+ ADMX_DeviceInstallation/DeviceManagement_RPCInterface_Allow +
+
+ ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser +
+
+ ADMX_DeviceInstallation/DriverSigning +
+
+ +### ADMX_DeviceSetup policies + +
+
+ ADMX_DeviceSetup/DeviceInstall_BalloonTips +
+
+ ADMX_DeviceSetup/DeviceInstall_GenericDriverSendToWER +
+
+ ADMX_DeviceSetup/DeviceInstall_RequestAdditionalSoftwareSendToWER +
+
+ ADMX_DeviceSetup/DriverSearchPlaces +
+
+ ADMX_DeviceSetup/DriverSearchPlaces_DontPromptForWindowsUpdate_1 +
+
+ ADMX_DeviceSetup/DriverSearchPlaces_DontPromptForWindowsUpdate_2 +
+
+ ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration +
+
+ ADMX_DeviceSetup/DriverSearchPlaces_SearchServerConfiguration +
+
+ ### ADMX_DigitalLocker policies
diff --git a/windows/client-management/mdm/policy-csp-admx-devicenstallation.md b/windows/client-management/mdm/policy-csp-admx-devicenstallation.md new file mode 100644 index 0000000000..c52d3a4656 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-devicenstallation.md @@ -0,0 +1,842 @@ +--- +title: Policy CSP - ADMX_DeviceInstallation +description: Policy CSP - ADMX_DeviceInstallation +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DeviceInstallation +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_DeviceInstallation policies + +
+
+ ADMX_DeviceInstallation/DeviceInstall_AllSigningEqual +
+
+ ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall +
+
+ ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText +
+
+ ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText +
+
+ ADMX_DeviceInstallation/DeviceInstall_InstallTimeout +
+
+ ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime +
+
+ ADMX_DeviceInstallation/DeviceInstall_Removable_Deny +
+
+ ADMX_DeviceInstallation/DeviceInstall_SystemRestore +
+
+ ADMX_DeviceInstallation/DeviceManagement_RPCInterface_Allow +
+
+ ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser +
+
+ ADMX_DeviceInstallation/DriverSigning +
+
+ + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_AllSigningEqual** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine how drivers signed by a Microsoft Windows Publisher certificate are ranked with drivers signed by other valid Authenticode signatures during the driver selection and installation process. Regardless of this policy setting, a signed driver is still preferred over a driver that is not signed at all. + +If you enable or do not configure this policy setting, drivers that are signed by a Microsoft Windows Publisher certificate and drivers that are signed by other Authenticode certificates are prioritized equally during the driver selection process. Selection is based on other criteria, such as version number or when the driver was created. + +If you disable this policy setting, drivers that are signed by a Microsoft Windows Publisher certificate are selected for installation over drivers that are signed by other Authenticode certificates. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prioritize all digitally signed drivers equally during the driver ranking and selection process* +- GP name: *DeviceInstall_AllSigningEqual* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. + +If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow administrators to override Device Installation Restriction policies* +- GP name: *DeviceInstall_AllowAdminInstall* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. + +If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. + +If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display a custom message when installation is prevented by a policy setting* +- GP name: *DeviceInstall_DeniedPolicy_DetailText* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. + +If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. + +If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display a custom message title when device installation is prevented by a policy setting* +- GP name: *DeviceInstall_DeniedPolicy_SimpleText* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_InstallTimeout** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. + +If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. + +If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure device installation time-out* +- GP name: *DeviceInstall_InstallTimeout* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. + +If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. + +If you disable or do not configure this policy setting, the system does not force a reboot. + +Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Time (in seconds) to force reboot when required for policy changes to take effect* +- GP name: *DeviceInstall_Policy_RebootTime* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_Removable_Deny** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent installation of removable devices* +- GP name: *DeviceInstall_Removable_Deny* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_SystemRestore** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. + +If you enable this policy setting, Windows does not create a system restore point when one would normally be created. + +If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point* +- GP name: *DeviceInstall_SystemRestore* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceManagement_RPCInterface_Allow** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to allow or deny remote access to the Plug and Play interface. + +If you enable this policy setting, remote connections to the Plug and Play interface are allowed. + +If you disable or do not configure this policy setting, remote connections to the Plug and Play interface are not allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow remote access to the Plug and Play interface* +- GP name: *DeviceManagement_RPCInterface_Allow* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. + +If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. + +If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow non-administrators to install drivers for these device setup classes* +- GP name: *DriverInstall_Classes_AllowUser* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DriverSigning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Determines how the system responds when a user tries to install device driver files that are not digitally signed. + +This setting establishes the least secure response permitted on the systems of users in the group. Users can use System in Control Panel to select a more secure setting, but when this setting is enabled, the system does not implement any setting less secure than the one the setting established. + +When you enable this setting, use the drop-down box to specify the desired response. + +- "Ignore" directs the system to proceed with the installation even if it includes unsigned files. +- "Warn" notifies the user that files are not digitally signed and lets the user decide whether to stop or to proceed with the installation and whether to permit unsigned files to be installed. "Warn" is the default. +- "Block" directs the system to refuse to install unsigned files. As a result, the installation stops, and none of the files in the driver package are installed. + +To change driver file security without specifying a setting, use System in Control Panel. Right-click My Computer, click Properties, click the Hardware tab, and then click the Driver Signing button. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Code signing for device drivers* +- GP name: *DriverSigning* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md new file mode 100644 index 0000000000..d82cda8513 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -0,0 +1,635 @@ +--- +title: Policy CSP - ADMX_DeviceSetup +description: Policy CSP - ADMX_DeviceSetup +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DeviceSetup +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_DeviceSetup policies + +
+
+ ADMX_DeviceSetup/DeviceInstall_BalloonTips +
+
+ ADMX_DeviceSetup/DeviceInstall_GenericDriverSendToWER +
+
+ ADMX_DeviceSetup/DeviceInstall_RequestAdditionalSoftwareSendToWER +
+
+ ADMX_DeviceSetup/DriverSearchPlaces +
+
+ ADMX_DeviceSetup/DriverSearchPlaces_DontPromptForWindowsUpdate_1 +
+
+ ADMX_DeviceSetup/DriverSearchPlaces_DontPromptForWindowsUpdate_2 +
+
+ ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration +
+
+ ADMX_DeviceSetup/DriverSearchPlaces_SearchServerConfiguration +
+
+ + +
+ + +**ADMX_DeviceSetup/DeviceInstall_BalloonTips** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation. + +If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. + +If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off "Found New Hardware" balloons during device installation* +- GP name: *DeviceInstall_BalloonTips* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ + +**ADMX_DeviceSetup/DeviceInstall_GenericDriverSendToWER** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Windows has a feature that sends "generic-driver-installed" reports through the Windows Error Reporting infrastructure. This policy allows you to disable the feature. + +If you enable this policy setting, an error report is not sent when a generic driver is installed. + +If you disable or do not configure this policy setting, an error report is sent when a generic driver is installed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not send a Windows error report when a generic driver is installed on a device* +- GP name: *DeviceInstall_GenericDriverSendToWER* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ + +**ADMX_DeviceSetup/DeviceInstall_RequestAdditionalSoftwareSendToWER** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Windows has a feature that allows a device driver to request additional software through the Windows Error Reporting infrastructure. This policy allows you to disable the feature. + +If you enable this policy setting, Windows will not send an error report to request additional software even if this is specified by the device driver. + +If you disable or do not configure this policy setting, Windows sends an error report when a device driver that requests additional software is installed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent Windows from sending an error report when a device driver requests additional software during installation* +- GP name: *DeviceInstall_RequestAdditionalSoftwareSendToWER* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ + +**ADMX_DeviceSetup/DriverSearchPlaces** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting configures the location that Windows searches for drivers when a new piece of hardware is found. + +By default, Windows searches the following places for drivers: local installation, floppy drives, CD-ROM drives, Windows Update. + +Using this setting, you may remove the floppy and CD-ROM drives from the search algorithm. + +If you enable this setting, you can remove the locations by selecting the associated check box beside the location name. + +If you disable or do not configure this setting, Windows searches the installation location, floppy drives, and CD-ROM drives. + +> [!NOTE] +> To prevent searching Windows Update for drivers also see "Turn off Windows Update device driver searching" in Administrative Templates/System/Internet Communication Management/Internet Communication settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure driver search locations* +- GP name: *DriverSearchPlaces* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ + +**ADMX_DeviceSetup/DriverSearchPlaces_DontPromptForWindowsUpdate_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the Internet. + +> [!NOTE] +> This setting only has effect if "Turn off Windows Update device driver searching" in "Administrative Templates/System/Internet Communication Management/Internet Communication settings" is disabled or not configured. + +If you enable this setting, administrators will not be prompted to search Windows Update. + +If you disable or do not configure this setting, and "Turn off Windows Update device driver searching" is disabled or not configured, the administrator will be prompted for consent before going to Windows Update to search for device drivers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Update device driver search prompt* +- GP name: *DriverSearchPlaces_DontPromptForWindowsUpdate_1* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ + +**ADMX_DeviceSetup/DriverSearchPlaces_DontPromptForWindowsUpdate_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the Internet. + +> [!NOTE] +> This setting only has effect if "Turn off Windows Update device driver searching" in "Administrative Templates/System/Internet Communication Management/Internet Communication settings" is disabled or not configured. + +If you enable this setting, administrators will not be prompted to search Windows Update. + +If you disable or do not configure this setting, and "Turn off Windows Update device driver searching" is disabled or not configured, the administrator will be prompted for consent before going to Windows Update to search for device drivers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Update device driver search prompt* +- GP name: *DriverSearchPlaces_DontPromptForWindowsUpdate_2* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ + +**ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers. + +If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. + +Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system. + +If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify search order for device driver source locations* +- GP name: *DriverSearchPlaces_SearchOrderConfiguration* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ + +**ADMX_DeviceSetup/DriverSearchPlaces_SearchServerConfiguration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the search server that Windows uses to find updates for device drivers. + +If you enable this policy setting, you can select whether Windows searches Windows Update (WU), searches a Managed Server, or a combination of both. + +Note that if both are specified, then Windows will first search the Managed Server, such as a Windows Server Update Services (WSUS) server. Only if no update is found will Windows then also search Windows Update. + +If you disable or do not configure this policy setting, members of the Administrators group can determine the server used in the search for device drivers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the search server for device driver updates* +- GP name: *DriverSearchPlaces_SearchServerConfiguration* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + +