Bewerken

Delen via


Policy CSP

The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 11. Use this configuration service provider to configure any company policies.

The Policy configuration service provider has the following sub-categories:

  • Policy/Config/AreaName - Handles the policy configuration request from the server.
  • Policy/Result/AreaName - Provides a read-only path to policies enforced on the device.

Policy scope

Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user. To configure a policy under a specific scope (user vs. device), please use the following paths:

User scope:

  • ./User/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
  • ./User/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.

Device scope:

  • ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
  • ./Device/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.

Note

For device wide configuration the Device/ portion may be omitted from the path, deeming the following paths respectively equivalent to the paths provided above:

  • ./Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
  • ./Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.

The following list shows the Policy configuration service provider nodes:

Device/Config

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config

Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get

Device/Config/{AreaName}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/{AreaName}

The area group that can be configured by a single technology for a single provider. Once added, you can't change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming ClientInventory

Device/Config/{AreaName}/{PolicyName}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}

Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.

The following list shows some tips to help you when configuring policies:

  • Separate substring values by Unicode 0xF000 in the XML file.

    Note

    A query from a different caller could provide a different value as each caller could have different values for a named policy.

  • In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
  • Supported operations are Add, Get, Delete, and Replace.
  • Value type is string.

Description framework properties:

Property name Property value
Format null
Access Type Add, Delete, Get, Replace
Dynamic Node Naming ClientInventory

Device/ConfigOperations

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/ConfigOperations

The root node for grouping different configuration operations.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get

Device/ConfigOperations/ADMXInstall

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall

Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that's added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.

For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.

Note

The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see Office Customization Tool.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get

Device/ConfigOperations/ADMXInstall/{AppName}

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}

Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
Device/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}

Setting Type of Win32 App. Policy Or Preference.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: Setting Type of Win32 App. Policy Or Preference
Device/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}/{AdmxFileId}
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}/{AdmxFileId}

Unique ID of ADMX file.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Dynamic Node Naming ServerGeneratedUniqueIdentifier
Device/ConfigOperations/ADMXInstall/{AppName}/Properties
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 with KB4520006 [10.0.16299.1481] and later
✅ Windows 10, version 1803 with KB4519978 [10.0.17134.1099] and later
✅ Windows 10, version 1809 with KB4520062 [10.0.17763.832] and later
✅ Windows 10, version 1903 with KB4517211 [10.0.18362.387] and later
✅ Windows 10, version 1909 [10.0.18363] and later
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties

Properties of Win32 App ADMX Ingestion.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 with KB4520006 [10.0.16299.1481] and later
✅ Windows 10, version 1803 with KB4519978 [10.0.17134.1099] and later
✅ Windows 10, version 1809 with KB4520062 [10.0.17763.832] and later
✅ Windows 10, version 1903 with KB4517211 [10.0.18362.387] and later
✅ Windows 10, version 1909 [10.0.18363] and later
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}

Setting Type of Win32 App. Policy Or Preference.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming UniqueName: Setting Type of Win32 App. Policy Or Preference
Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 with KB4520006 [10.0.16299.1481] and later
✅ Windows 10, version 1803 with KB4519978 [10.0.17134.1099] and later
✅ Windows 10, version 1809 with KB4520062 [10.0.17763.832] and later
✅ Windows 10, version 1903 with KB4517211 [10.0.18362.387] and later
✅ Windows 10, version 1909 [10.0.18363] and later
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}

Unique ID of ADMX file.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming ServerGeneratedUniqueIdentifier
Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}/Version
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 with KB4520006 [10.0.16299.1481] and later
✅ Windows 10, version 1803 with KB4519978 [10.0.17134.1099] and later
✅ Windows 10, version 1809 with KB4520062 [10.0.17763.832] and later
✅ Windows 10, version 1903 with KB4517211 [10.0.18362.387] and later
✅ Windows 10, version 1909 [10.0.18363] and later
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}/Version

Version of ADMX file. This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Device/Result

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Result

Groups the evaluated policies from all providers that can be configured.

Description framework properties:

Property name Property value
Format node
Access Type Get

Device/Result/{AreaName}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Result/{AreaName}

The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.

Description framework properties:

Property name Property value
Format node
Access Type Get
Dynamic Node Naming ClientInventory

Device/Result/{AreaName}/{PolicyName}

Scope Editions Applicable OS
✅ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1507 [10.0.10240] and later
./Device/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName}

Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.

Description framework properties:

Property name Property value
Format null
Access Type Get
Dynamic Node Naming ClientInventory

User/Config

Scope Editions Applicable OS
✅ Device
✅ User
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC
./User/Vendor/MSFT/Policy/Config

Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get

User/Config/{AreaName}

Scope Editions Applicable OS
✅ Device
✅ User
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC
./User/Vendor/MSFT/Policy/Config/{AreaName}

The area group that can be configured by a single technology for a single provider. Once added, you can't change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.

The following list shows some tips to help you when configuring policies:

  • Separate substring values by Unicode 0xF000 in the XML file.

    Note

    A query from a different caller could provide a different value as each caller could have different values for a named policy.

  • In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
  • Supported operations are Add, Get, Delete, and Replace.
  • Value type is string.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Dynamic Node Naming ClientInventory

User/Config/{AreaName}/{PolicyName}

Scope Editions Applicable OS
✅ Device
✅ User
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC
./User/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}

Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.

Description framework properties:

Property name Property value
Format null
Access Type Add, Delete, Get, Replace
Dynamic Node Naming ClientInventory

User/Result

Scope Editions Applicable OS
✅ Device
✅ User
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC
./User/Vendor/MSFT/Policy/Result

Groups the evaluated policies from all providers that can be configured.

Description framework properties:

Property name Property value
Format node
Access Type Get

User/Result/{AreaName}

Scope Editions Applicable OS
✅ Device
✅ User
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC
./User/Vendor/MSFT/Policy/Result/{AreaName}

The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.

Description framework properties:

Property name Property value
Format node
Access Type Get
Dynamic Node Naming ClientInventory

User/Result/{AreaName}/{PolicyName}

Scope Editions Applicable OS
✅ Device
✅ User
❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC
./User/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName}

Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.

Description framework properties:

Property name Property value
Format null
Access Type Get
Dynamic Node Naming ServerGeneratedUniqueIdentifier

Policy Areas

Configuration service provider reference