Events
May 19, 6 PM - May 23, 12 AM
Calling all developers, creators, and AI innovators to join us in Seattle @Microsoft Build May 19-22.
Register todayPolicy CSP
The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 11. Use this configuration service provider to configure any company policies.
The Policy configuration service provider has the following sub-categories:
- Policy/Config/AreaName - Handles the policy configuration request from the server.
- Policy/Result/AreaName - Provides a read-only path to policies enforced on the device.
Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user. To configure a policy under a specific scope (user vs. device), please use the following paths:
User scope:
- ./User/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
- ./User/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.
Device scope:
- ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
- ./Device/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.
Note
For device wide configuration the Device/ portion may be omitted from the path, deeming the following paths respectively equivalent to the paths provided above:
- ./Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
- ./Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.
The following list shows the Policy configuration service provider nodes:
- ./Device/Vendor/MSFT/Policy
- ./User/Vendor/MSFT/Policy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/{AreaName}
The area group that can be configured by a single technology for a single provider. Once added, you can't change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | ClientInventory |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}
Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
The following list shows some tips to help you when configuring policies:
- Separate substring values by Unicode
0xF000in the XML file.Note
A query from a different caller could provide a different value as each caller could have different values for a named policy.
- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
- Supported operations are Add, Get, Delete, and Replace.
- Value type is string.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | null |
| Access Type | Add, Delete, Get, Replace |
| Dynamic Node Naming | ClientInventory |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/ConfigOperations
The root node for grouping different configuration operations.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall
Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that's added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
Note
The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see Office Customization Tool.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}
Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}
Setting Type of Win32 App. Policy Or Preference.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: Setting Type of Win32 App. Policy Or Preference |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}/{AdmxFileId}
Unique ID of ADMX file.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 with KB4520006 [10.0.16299.1481] and later ✅ Windows 10, version 1803 with KB4519978 [10.0.17134.1099] and later ✅ Windows 10, version 1809 with KB4520062 [10.0.17763.832] and later ✅ Windows 10, version 1903 with KB4517211 [10.0.18362.387] and later ✅ Windows 10, version 1909 [10.0.18363] and later |
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties
Properties of Win32 App ADMX Ingestion.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 with KB4520006 [10.0.16299.1481] and later ✅ Windows 10, version 1803 with KB4519978 [10.0.17134.1099] and later ✅ Windows 10, version 1809 with KB4520062 [10.0.17763.832] and later ✅ Windows 10, version 1903 with KB4517211 [10.0.18362.387] and later ✅ Windows 10, version 1909 [10.0.18363] and later |
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}
Setting Type of Win32 App. Policy Or Preference.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | UniqueName: Setting Type of Win32 App. Policy Or Preference |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 with KB4520006 [10.0.16299.1481] and later ✅ Windows 10, version 1803 with KB4519978 [10.0.17134.1099] and later ✅ Windows 10, version 1809 with KB4520062 [10.0.17763.832] and later ✅ Windows 10, version 1903 with KB4517211 [10.0.18362.387] and later ✅ Windows 10, version 1909 [10.0.18363] and later |
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}
Unique ID of ADMX file.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 with KB4520006 [10.0.16299.1481] and later ✅ Windows 10, version 1803 with KB4519978 [10.0.17134.1099] and later ✅ Windows 10, version 1809 with KB4520062 [10.0.17763.832] and later ✅ Windows 10, version 1903 with KB4517211 [10.0.18362.387] and later ✅ Windows 10, version 1909 [10.0.18363] and later |
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}/Version
Version of ADMX file. This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Result
Groups the evaluated policies from all providers that can be configured.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Result/{AreaName}
The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
| Dynamic Node Naming | ClientInventory |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1507 [10.0.10240] and later |
./Device/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName}
Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | null |
| Access Type | Get |
| Dynamic Node Naming | ClientInventory |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
❌ Pro ❌ Enterprise ❌ Education ❌ IoT Enterprise / IoT Enterprise LTSC |
./User/Vendor/MSFT/Policy/Config
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
❌ Pro ❌ Enterprise ❌ Education ❌ IoT Enterprise / IoT Enterprise LTSC |
./User/Vendor/MSFT/Policy/Config/{AreaName}
The area group that can be configured by a single technology for a single provider. Once added, you can't change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
The following list shows some tips to help you when configuring policies:
- Separate substring values by Unicode
0xF000in the XML file.Note
A query from a different caller could provide a different value as each caller could have different values for a named policy.
- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
- Supported operations are Add, Get, Delete, and Replace.
- Value type is string.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
| Dynamic Node Naming | ClientInventory |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
❌ Pro ❌ Enterprise ❌ Education ❌ IoT Enterprise / IoT Enterprise LTSC |
./User/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}
Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | null |
| Access Type | Add, Delete, Get, Replace |
| Dynamic Node Naming | ClientInventory |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
❌ Pro ❌ Enterprise ❌ Education ❌ IoT Enterprise / IoT Enterprise LTSC |
./User/Vendor/MSFT/Policy/Result
Groups the evaluated policies from all providers that can be configured.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
❌ Pro ❌ Enterprise ❌ Education ❌ IoT Enterprise / IoT Enterprise LTSC |
./User/Vendor/MSFT/Policy/Result/{AreaName}
The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
| Dynamic Node Naming | ClientInventory |
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ✅ User |
❌ Pro ❌ Enterprise ❌ Education ❌ IoT Enterprise / IoT Enterprise LTSC |
./User/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName}
Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | null |
| Access Type | Get |
| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
- AboveLock
- Accounts
- ActiveXControls
- ADMX_ActiveXInstallService
- ADMX_AddRemovePrograms
- ADMX_AdmPwd
- ADMX_AppCompat
- ADMX_AppxPackageManager
- ADMX_AppXRuntime
- ADMX_AttachmentManager
- ADMX_AuditSettings
- ADMX_Bits
- ADMX_CipherSuiteOrder
- ADMX_COM
- ADMX_ControlPanel
- ADMX_ControlPanelDisplay
- ADMX_Cpls
- ADMX_CredentialProviders
- ADMX_CredSsp
- ADMX_CredUI
- ADMX_CtrlAltDel
- ADMX_DataCollection
- ADMX_DCOM
- ADMX_Desktop
- ADMX_DeviceCompat
- ADMX_DeviceGuard
- ADMX_DeviceInstallation
- ADMX_DeviceSetup
- ADMX_DFS
- ADMX_DigitalLocker
- ADMX_DiskDiagnostic
- ADMX_DiskNVCache
- ADMX_DiskQuota
- ADMX_DistributedLinkTracking
- ADMX_DnsClient
- ADMX_DWM
- ADMX_EAIME
- ADMX_EncryptFilesonMove
- ADMX_EnhancedStorage
- ADMX_ErrorReporting
- ADMX_EventForwarding
- ADMX_EventLog
- ADMX_EventLogging
- ADMX_EventViewer
- ADMX_Explorer
- ADMX_ExternalBoot
- ADMX_FileRecovery
- ADMX_FileRevocation
- ADMX_FileServerVSSProvider
- ADMX_FileSys
- ADMX_FolderRedirection
- ADMX_FramePanes
- ADMX_fthsvc
- ADMX_Globalization
- ADMX_GroupPolicy
- ADMX_Help
- ADMX_HelpAndSupport
- ADMX_hotspotauth
- ADMX_ICM
- ADMX_IIS
- ADMX_iSCSI
- ADMX_kdc
- ADMX_Kerberos
- ADMX_LanmanServer
- ADMX_LanmanWorkstation
- ADMX_LeakDiagnostic
- ADMX_LinkLayerTopologyDiscovery
- ADMX_LocationProviderAdm
- ADMX_Logon
- ADMX_MicrosoftDefenderAntivirus
- ADMX_MMC
- ADMX_MMCSnapins
- ADMX_MobilePCMobilityCenter
- ADMX_MobilePCPresentationSettings
- ADMX_MSAPolicy
- ADMX_msched
- ADMX_MSDT
- ADMX_MSI
- ADMX_MsiFileRecovery
- ADMX_MSS-legacy
- ADMX_nca
- ADMX_NCSI
- ADMX_Netlogon
- ADMX_NetworkConnections
- ADMX_OfflineFiles
- ADMX_pca
- ADMX_PeerToPeerCaching
- ADMX_PenTraining
- ADMX_PerformanceDiagnostics
- ADMX_Power
- ADMX_PowerShellExecutionPolicy
- ADMX_PreviousVersions
- ADMX_Printing
- ADMX_Printing2
- ADMX_Programs
- ADMX_PushToInstall
- ADMX_QOS
- ADMX_Radar
- ADMX_Reliability
- ADMX_RemoteAssistance
- ADMX_RemovableStorage
- ADMX_RPC
- ADMX_sam
- ADMX_Scripts
- ADMX_sdiageng
- ADMX_sdiagschd
- ADMX_Securitycenter
- ADMX_Sensors
- ADMX_ServerManager
- ADMX_Servicing
- ADMX_SettingSync
- ADMX_SharedFolders
- ADMX_Sharing
- ADMX_ShellCommandPromptRegEditTools
- ADMX_Smartcard
- ADMX_Snmp
- ADMX_SoundRec
- ADMX_srmfci
- ADMX_StartMenu
- ADMX_SystemRestore
- ADMX_TabletPCInputPanel
- ADMX_TabletShell
- ADMX_Taskbar
- ADMX_tcpip
- ADMX_TerminalServer
- ADMX_Thumbnails
- ADMX_TouchInput
- ADMX_TPM
- ADMX_UserExperienceVirtualization
- ADMX_UserProfiles
- ADMX_W32Time
- ADMX_WCM
- ADMX_WDI
- ADMX_WinCal
- ADMX_WindowsColorSystem
- ADMX_WindowsConnectNow
- ADMX_WindowsExplorer
- ADMX_WindowsMediaDRM
- ADMX_WindowsMediaPlayer
- ADMX_WindowsRemoteManagement
- ADMX_WindowsStore
- ADMX_WinInit
- ADMX_WinLogon
- ADMX_Winsrv
- ADMX_wlansvc
- ADMX_WordWheel
- ADMX_WorkFoldersClient
- ADMX_WPN
- AppDeviceInventory
- ApplicationDefaults
- ApplicationManagement
- AppRuntime
- AppVirtualization
- AttachmentManager
- Audit
- Authentication
- Autoplay
- Bitlocker
- BITS
- Bluetooth
- Browser
- Camera
- Cellular
- CloudDesktop
- Connectivity
- ControlPolicyConflict
- CredentialProviders
- CredentialsDelegation
- CredentialsUI
- Cryptography
- DataProtection
- DataUsage
- Defender
- DeliveryOptimization
- Desktop
- DesktopAppInstaller
- DeviceGuard
- DeviceHealthMonitoring
- DeviceInstallation
- DeviceLock
- Display
- DmaGuard
- Eap
- Education
- EnterpriseCloudPrint
- ErrorReporting
- EventLogService
- Experience
- ExploitGuard
- FederatedAuthentication
- FileExplorer
- FileSystem
- Games
- Handwriting
- HumanPresence
- InternetExplorer
- Kerberos
- KioskBrowser
- LanmanWorkstation
- Licensing
- LocalPoliciesSecurityOptions
- LocalSecurityAuthority
- LocalUsersAndGroups
- LockDown
- Maps
- MemoryDump
- Messaging
- MixedReality
- MSSecurityGuide
- MSSLegacy
- Multitasking
- NetworkIsolation
- NetworkListManager
- NewsAndInterests
- Notifications
- Power
- Printers
- Privacy
- RemoteAssistance
- RemoteDesktop
- RemoteDesktopServices
- RemoteManagement
- RemoteProcedureCall
- RemoteShell
- RestrictedGroups
- Search
- Security
- ServiceControlManager
- Settings
- SettingsSync
- SmartScreen
- SpeakForMe
- Speech
- Start
- Stickers
- Storage
- Sudo
- System
- SystemServices
- TaskManager
- TaskScheduler
- TenantDefinedTelemetry
- TenantRestrictions
- TextInput
- TimeLanguageSettings
- Troubleshooting
- Update
- UserRights
- VirtualizationBasedTechnology
- WebThreatDefense
- Wifi
- WindowsAI
- WindowsAutopilot
- WindowsConnectionManager
- WindowsDefenderSecurityCenter
- WindowsInkWorkspace
- WindowsLogon
- WindowsPowerShell
- WindowsSandbox
- WirelessDisplay
Additional resources
Training
Learning path
MD-100 Configure data access and usage - Training
MD-100 Configure data access and usage
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.