windows-itpro-docs/windows/client-management/mdm/policy-csp-admx-filerevocation.md
2022-10-07 13:44:25 -04:00

3.5 KiB
Raw Blame History

title, description, ms.author, ms.localizationpriority, ms.topic, ms.prod, ms.technology, author, ms.date, ms.reviewer, manager
title description ms.author ms.localizationpriority ms.topic ms.prod ms.technology author ms.date ms.reviewer manager
Policy CSP - ADMX_FileRevocation Learn about the Policy CSP - ADMX_FileRevocation. vinpa medium article w10 windows vinaypamnani-msft 09/13/2021 aaroncz

Policy CSP - ADMX_FileRevocation

Tip

This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.

You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.


ADMX_FileRevocation/DelegatedPackageFamilyNames

ADMX_FileRevocation/DelegatedPackageFamilyNames

Edition Windows 10 Windows 11
Home No No
Pro Yes Yes
Windows SE No Yes
Business Yes Yes
Enterprise Yes Yes
Education Yes Yes

Scope:

[!div class = "checklist"]

  • User

Windows Runtime applications can protect content that has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format. Example value: Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy

If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.

If you disable or don't configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app.

Any other Windows Runtime application will only be able to revoke access to content it protected.

Note

Information the user should notice even if skimmingFile revocation applies to all content protected under the same second level domain as the provided enterprise identifier. Therefore, revoking an enterprise ID of mail.contoso.com will revoke the users access to all content protected under the contoso.com hierarchy.

ADMX Info:

  • GP Friendly name: Allow Windows Runtime apps to revoke enterprise data.
  • GP name: DelegatedPackageFamilyNames
  • GP path: Windows Components\File Revocation
  • GP ADMX file name: FileRevocation.admx

ADMX-backed policies in Policy CSP