5.1 KiB
title, description, author, manager, ms.author, ms.date, ms.localizationpriority, ms.prod, ms.technology, ms.topic
| title | description | author | manager | ms.author | ms.date | ms.localizationpriority | ms.prod | ms.technology | ms.topic |
|---|---|---|---|---|---|---|---|---|---|
| ADMX_DeviceGuard Policy CSP | Learn more about the ADMX_DeviceGuard Area in Policy CSP | vinaypamnani-msft | aaroncz | vinpa | 12/21/2022 | medium | windows-client | itpro-manage | reference |
Policy CSP - ADMX_DeviceGuard
Tip
Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.
You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
Warning
Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
ConfigCIPolicy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✔️ Device ❌ User |
❌ Home ✔️ Pro ✔️ Enterprise ✔️ Education ✔️ Windows SE |
✔️ Windows 10, version 2004 [10.0.19041.1202] and later ✔️ Windows 10, version 2009 [10.0.19042.1202] and later ✔️ Windows 10, version 21H1 [10.0.19043.1202] and later ✔️ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceGuard/ConfigCIPolicy
Deploy Windows Defender Application Control
This policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine.
If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To enable this policy the machine must be rebooted.
The file path must be either a UNC path (for example, \ServerName\ShareName\SIPolicy.p7b), or a locally valid path (for example, C:\FolderName\SIPolicy.p7b). The local machine account (LOCAL SYSTEM) must have access permission to the policy file.
If using a signed and protected policy then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either:
- first update the policy to a non-protected policy and then disable the setting, or
- disable the setting and then remove the policy from each computer, with a physically present user.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For details, see Understanding ADMX-backed policies.
ADMX mapping:
| Name | Value |
|---|---|
| Name | ConfigCIPolicy |
| Friendly Name | Deploy Windows Defender Application Control |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| Registry Value Name | DeployConfigCIPolicy |
| ADMX File Name | DeviceGuard.admx |