diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 9fca236820..48023ee817 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -103,6 +103,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
DeviceHealthMonitoring/AllowDeviceHealthMonitoring
DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope
DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination
+DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
+DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
Experience/ShowLockOnUserTile
InternetExplorer/AllowEnhancedSuggestionsInAddressBar
InternetExplorer/DisableActiveXVersionListAutoDownload
@@ -1909,6 +1911,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|New or updated topic | Description|
|--- | ---|
|[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.|
+|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies:
DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.|
### August 2019
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 61718b8d22..cb22ae437a 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1209,6 +1209,9 @@ The following diagram shows the Policy configuration service provider in tree fo
DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+
+ DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
+
DeviceInstallation/PreventDeviceMetadataFromNetwork
@@ -1218,6 +1221,9 @@ The following diagram shows the Policy configuration service provider in tree fo
DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
+
+ DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
+
DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 75e6a2bd5a..ba62dc186a 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -4,6 +4,7 @@ ms.reviewer:
manager: dansimp
description: Policy CSP - DeviceInstallation
ms.author: dansimp
+ms.date: 09/26/2019
ms.topic: article
ms.prod: w10
ms.technology: windows
@@ -11,6 +12,8 @@ author: manikadhiman
---
# Policy CSP - DeviceInstallation
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -24,6 +27,9 @@ author: manikadhiman
DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+
+ DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
+
DeviceInstallation/PreventDeviceMetadataFromNetwork
@@ -33,12 +39,14 @@ author: manikadhiman
DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
+
+ DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
+
DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
-
@@ -132,7 +140,7 @@ To enable this policy, use the following SyncML. This example allows Windows to
```
-To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
@@ -247,7 +255,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
```
-To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
```txt
@@ -264,6 +272,105 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
+
+**DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  |
+  6 |
+ 6 |
+ 6 |
+ 6 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
+
+If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+
+Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow installation of devices that match any of these device instance IDs*
+- GP name: *DeviceInstall_Instance_IDs_Allow*
+- GP path: *System/Device Installation/Device Installation Restrictions*
+- GP ADMX file name: *deviceinstallation.admx*
+
+
+
+
+
+
+To enable this policy, use the following SyncML.
+
+``` xml
+
+
+
+ $CmdID$
+ -
+
+ ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
+
+
+ string
+
+
+
+
+
+
+```
+To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+``` txt
+>>> [Device Installation Restrictions Policy Check]
+>>> Section start 2018/11/15 12:26:41.659
+<<< Section end 2018/11/15 12:26:41.751
+<<< [Exit status: SUCCESS]
+```
+
+
+
+
+
+
+
+
**DeviceInstallation/PreventDeviceMetadataFromNetwork**
@@ -546,6 +653,107 @@ For example, this custom profile blocks installation and usage of USB devices wi
+
+
+
+**DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+
+If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+
+Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent installation of devices that match any of these device instance IDs*
+- GP name: *DeviceInstall_Instance_IDs_Deny*
+- GP path: *System/Device Installation/Device Installation Restrictions*
+- GP ADMX file name: *deviceinstallation.admx*
+
+
+
+
+
+
+To enable this policy, use the following SyncML.
+
+``` xml
+
+
+
+ $CmdID$
+ -
+
+ ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
+
+
+ string
+
+
+
+
+
+
+```
+To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
+
+``` txt
+>>> [Device Installation Restrictions Policy Check]
+>>> Section start 2018/11/15 12:26:41.659
+<<< Section end 2018/11/15 12:26:41.751
+<<< [Exit status: SUCCESS]
+```
+
+
+
+
+
+
+
**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**