deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Updated

Browse Source
This commit is contained in:
Nimisha Satapathy
2022-09-10 02:05:21 +05:30
parent bd80d690a9
commit c6f89f671c
4 changed files with 717 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
windows/client-management/mdm/personaldataencryption-csp.md Normal file
View File

@ -0,0 +1,38 @@
---
title: PersonalDataEncryption CSP
description: Learn how the PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 02/04/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
---
# PersonalDataEncryption CSP
The PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP is supported in Windows 11.
The following shows the PersonalDataEncryption configuration service provider in tree format:
```./User/Vendor/MSFT/PDE
-- EnablePersonalDataEncryption
-- Status
-------- PersonalDataEncryptionStatus
```
**EnablePersonalDataEncryption**: 0 is default (disabled). 1 (enabled) will make Personal Data Encryption (PDE) public API available to applications for the user: [UserDataProtectionManager Class (Windows.Security.DataProtection) - Windows UWP applications | Microsoft Docs](https://docs.microsoft.com/uwp/api/windows.security.dataprotection.userdataprotectionmanager?view=winrt-22621). The public API allows apps running as the user to encrypt data as soon as this policy is enabled. This doesn't mean PDE is enabled as prerequisites must be met for this to happen.
**Status/PersonalDataEncryptionStatus**: Reports the current status of Personal Data Encryption (PDE) for the user. If prerequisites of PDE are not met, then this will report 0. If all prerequisites are met for PDE, PDE won't enabled and this will report 1.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|

127
windows/client-management/mdm/personaldataencryption-ddf-file.md Normal file
View File

@ -0,0 +1,127 @@
---
title: PersonalDataEncryption DDF file
description: Learn about the OMA DM device description framework (DDF) for the PersonalDataEncryption configuration service provider.
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.localizationpriority: medium
ms.date: 09/10/2022
ms.reviewer:
manager: dansimp
---
# PersonalDataEncryption DDF file
This topic shows the OMA DM device description framework (DDF) for the **PersonalDataEncryption** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>PDE</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnablePersonalDataEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable Personal Data Encryption. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable Personal Data Encryption.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable Personal Data Encryption.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>PersonalDataEncryptionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports the current state of Personal Data Encryption for a user. '0' means disabled. '1' means enabled.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

547
windows/client-management/mdm/policy-csp-personaldataencryption.md Normal file
View File

@ -0,0 +1,547 @@
---
title: Policy CSP - Printers
description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - Printers
<hr/>
<!--Policies-->
## Printers policies
<dl>
<dd>
<a href="#printers-approvedusbprintdevices">Printers/ApprovedUsbPrintDevices</a>
</dd>
<dd>
<a href="#printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
</dd>
<dd>
<a href="#printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
</dd>
<dd>
<a href="#printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
</dd>
<dd>
<a href="#printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
</dd>
<dd>
<a href="#printers-pointandprintrestrictions-user">Printers/PointAndPrintRestrictions_User</a>
</dd>
<dd>
<a href="#printers-publishprinters">Printers/PublishPrinters</a>
</dd>
</dl>
> [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policy-->
<a href="" id="printers-approvedusbprintdevices"></a>**Printers/ApprovedUsbPrintDevices**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled.
The format of this setting is `<vid>/<pid>[,<vid>/<pid>]`
Parent deliverable: 26209274 - Device Control: Printer
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *ApprovedUsbPrintDevices*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-approvedusbprintdevicesuser"></a>**Printers/ApprovedUsbPrintDevicesUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled.
The format of this setting is `<vid>/<pid>[,<vid>/<pid>]`
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *ApprovedUsbPrintDevicesUser*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-enabledevicecontrol"></a>**Printers/EnableDeviceControl**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will control whether the print spooler will attempt to restrict printing as part of Device Control.
The default value of the policy will be Unconfigured.
If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing.
If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *EnableDeviceControl*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-enabledevicecontroluser"></a>**Printers/EnableDeviceControlUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy implements the print portion of the Device Control requirements.
These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network.
This policy will control whether the print spooler will attempt to restrict printing as part of Device Control.
The default value of the policy will be Unconfigured.
If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing.
If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Support for new Device Control Print feature*
- GP name: *EnableDeviceControlUser*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
- You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
If you do not configure this policy setting:
- Windows Vista client computers can point and print to any server.
- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
If you disable this policy setting:
- Windows Vista client computers can create a printer connection to any server using Point and Print.
- Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
- Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions_Win7*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--Example-->
Example:
```xml
Name: Point and Print Enable Oma-URI: ./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions
Data type: String Value: <enabled/>
<data id="PointAndPrint_TrustedServers_Chk" value="true"/>
<data id="PointAndPrint_TrustedServers_Edit" value="Printserver1.Contoso.com"/>
<data id="PointAndPrint_TrustedForest_Chk" value="false"/>
<data id="PointAndPrint_NoWarningNoElevationOnInstall_Enum" value="1"/>
<data id="PointAndPrint_NoWarningNoElevationOnUpdate_Enum" value="2"/>
```
<!--/Example-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-pointandprintrestrictions-user"></a>**Printers/PointAndPrintRestrictions_User**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
- You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
If you do not configure this policy setting:
- Windows Vista client computers can point and print to any server.
- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
If you disable this policy setting:
- Windows Vista client computers can create a printer connection to any server using Point and Print.
- Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
- Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Point and Print Restrictions*
- GP name: *PointAndPrint_Restrictions*
- GP path: *Control Panel/Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-publishprinters"></a>**Printers/PublishPrinters**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Determines whether the computer's shared printers can be published in Active Directory.
If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.
Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow printers to be published*
- GP name: *PublishPrinters*
- GP path: *Printers*
- GP ADMX file name: *Printing2.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

5
windows/client-management/mdm/toc.yml
View File

@ -335,6 +335,11 @@ items:
items: items:
- name: PassportForWork DDF file - name: PassportForWork DDF file
href: passportforwork-ddf.md href: passportforwork-ddf.md
- name: PersonalDataEncryption CSP
href: personaldataencryption-csp.md
items:
- name: PersonalDataEncryption DDF file
href: personaldataencryption-ddf.md
- name: Personalization CSP - name: Personalization CSP
href: personalization-csp.md href: personalization-csp.md
items: items: