From 986029e98f7154734d3d6fb5231ff5a6b4d0bf29 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 15 Aug 2019 17:09:50 +0530 Subject: [PATCH 1/6] Added 20H1 policies --- .../mdm/policy-csp-deviceinstallation.md | 158 +++++++++++++++++- 1 file changed, 156 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index e137a5dc9f..3df85a5ecf 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -11,6 +11,8 @@ author: manikadhiman --- # Policy CSP - DeviceInstallation +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -24,6 +26,9 @@ author: manikadhiman
DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+
+ DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs +
DeviceInstallation/PreventDeviceMetadataFromNetwork
@@ -33,12 +38,14 @@ author: manikadhiman
DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
+
+ DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs +
DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
-
@@ -264,6 +271,79 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
+ +**DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. + +If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + +Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow installation of devices that match any of these device instance IDs* +- GP name: *DeviceInstall_Instance_IDs_Allow* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + + + + + + + + +
+ **DeviceInstallation/PreventDeviceMetadataFromNetwork** @@ -546,6 +626,80 @@ For example, this custom profile blocks installation and usage of USB devices wi +
+ + +**DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark6check mark6check mark6check mark6
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + +Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent installation of devices that match any of these device instance IDs* +- GP name: *DeviceInstall_Instance_IDs_Deny* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + + + + + + + + + + +
**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** @@ -661,6 +815,6 @@ Footnote: - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file From 49bddd1894a92c4f345f08fede14be26c9c9f476 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 29 Aug 2019 09:43:19 -0700 Subject: [PATCH 2/6] Added SyncML examples --- .../mdm/policy-csp-deviceinstallation.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 3df85a5ecf..192db804ab 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -335,7 +335,33 @@ ADMX Info: +To enable this policy, use the following SyncML. +``` xml + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs + + + string + + + + + + +``` +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +``` txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` @@ -692,7 +718,34 @@ ADMX Info: +To enable this policy, use the following SyncML. +``` xml + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs + + + string + + + + + + +``` +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +``` txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` From 32193dbdc073de271ac2526056d6454909dd2762 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 25 Sep 2019 10:26:44 -0700 Subject: [PATCH 3/6] Added Windows version --- .../mdm/new-in-windows-mdm-enrollment-management.md | 3 +++ .../mdm/policy-configuration-service-provider.md | 6 ++++++ .../client-management/mdm/policy-csp-deviceinstallation.md | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 1c11eca4c1..b635a732a2 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -103,6 +103,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • DeviceHealthMonitoring/AllowDeviceHealthMonitoring
  • DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope
  • DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
    • +
  • DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
  • Experience/ShowLockOnUserTile
  • InternetExplorer/AllowEnhancedSuggestionsInAddressBar
  • InternetExplorer/DisableActiveXVersionListAutoDownload
    • @@ -1905,6 +1907,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o |New or updated topic | Description| |--- | ---| |[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.| +|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policices:
    DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.| ### August 2019 diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 9a03db87e3..360d56c02f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1027,6 +1027,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    +
    + DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs +
    DeviceInstallation/PreventDeviceMetadataFromNetwork
    @@ -1036,6 +1039,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
    +
    + DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs +
    DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
    diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index d83435f182..712ae6009c 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -307,7 +307,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i -This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. @@ -690,7 +690,7 @@ For example, this custom profile blocks installation and usage of USB devices wi -This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. +Added in Windows 10, version 1903. Also available in Windows 10, version 1809. This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. From 39e9b3711ba1c5af66ec63ddd83be5bcff7f897d Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 26 Sep 2019 10:58:45 -0700 Subject: [PATCH 4/6] minor updates --- .../client-management/mdm/policy-csp-deviceinstallation.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 712ae6009c..b470f3a5cf 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -4,6 +4,7 @@ ms.reviewer: manager: dansimp description: Policy CSP - DeviceInstallation ms.author: dansimp +ms.date: 09/26/2019 ms.topic: article ms.prod: w10 ms.technology: windows @@ -139,7 +140,7 @@ To enable this policy, use the following SyncML. This example allows Windows to ``` -To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt >>> [Device Installation Restrictions Policy Check] @@ -254,7 +255,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` -To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: +To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: ```txt From 24662139864342103320ff37697f27d0ad61e0c6 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 26 Sep 2019 11:26:23 -0700 Subject: [PATCH 5/6] Fixed a typo --- .../mdm/new-in-windows-mdm-enrollment-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 3c87d115e8..48023ee817 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1911,7 +1911,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o |New or updated topic | Description| |--- | ---| |[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.| -|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policices:
    DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.| +|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies:
    DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.| ### August 2019 From 030a36f3eabf32a69333a5e876fc185794bebaa5 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 26 Sep 2019 11:27:21 -0700 Subject: [PATCH 6/6] Removed en-us --- .../client-management/mdm/policy-csp-deviceinstallation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index b470f3a5cf..ba62dc186a 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -314,7 +314,7 @@ If you enable this policy setting, Windows is allowed to install or update any d If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. -Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP] @@ -697,7 +697,7 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. -Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. +Peripherals can be specified by their [device instance ID](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. > [!TIP]