Forum Discussion

Andrew Matthews's avatar
Andrew Matthews
Iron Contributor
Sep 11, 2018
Solved

Custom Policy CSP for NCSC Guidance for Windows 10

The NCSC Guidance for Deploying Intune managed Windows 10 clients (https://www.ncsc.gov.uk/guidance/eud-guidance-windows-10-1803-mobile-device-management) lists two custom OMA-URI settings that block unwanted devices from being installed. 

 

./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

 

Unfortunately the policy JSON that the NCSC supply is missing these settings. I tried to create the SyncML for both IDs using guidance from the Internet but I get a catastrophic failure error message in the logs and the policies do not apply. 

 

The settings that I have used are 

 

./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

 

<enabled/>
<data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0A"/>
<data id="DeviceInstall_IDs_Deny_Retroactive" value="1"/>

 

./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

 

<enabled/>
<data id="DeviceInstall_Classes_Deny_Retroactive" value="1"/>
<data id="DeviceInstall_Classes_Deny_List" value="{d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}"/>

 

Has anyone successfully applied these settings using a custom device configuration policy? If so where am I going wrong?

Any assistance will be gratefully received

 

CSP
Intune
windows 10
  • Oliver Kieselbach's avatar
    Oliver Kieselbach
    Sep 11, 2018

    Hi Andrew,

     

    you need to specify the list elements slightly different. Every list element must be specified as a tuple with the official separator and then it is working. e.g. instead of PCI\CC_0C0A you must specify PCI\CC_0C0A&#xF000;PCI\CC_0C0A. In addition the retroactive values must be true or false.

     

    ./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

     

    <enabled/>

    <data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0A&#xF000;PCI\CC_0C0A"/>

    <data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/>

     

    ./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

     

    <enabled/>

    <data id="DeviceInstall_Classes_Deny_List" value="

    {d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}"/>
    <data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/>
     
    this applies successfully on my devices.
     
     
    best,
    Oliver

8 Replies

Sort By
  • Oliver Kieselbach's avatar
    Oliver Kieselbach
    MVP
    Sep 11, 2018

    Hi Andrew,

     

    you need to specify the list elements slightly different. Every list element must be specified as a tuple with the official separator and then it is working. e.g. instead of PCI\CC_0C0A you must specify PCI\CC_0C0A&#xF000;PCI\CC_0C0A. In addition the retroactive values must be true or false.

     

    ./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

     

    <enabled/>

    <data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0A&#xF000;PCI\CC_0C0A"/>

    <data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/>

     

    ./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

     

    <enabled/>

    <data id="DeviceInstall_Classes_Deny_List" value="

    {d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}"/>
    <data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/>
     
    this applies successfully on my devices.
     
     
    best,
    Oliver
    • Andrew Matthews's avatar
      Andrew Matthews
      Iron Contributor
      Sep 12, 2018

      Thanks for your help and very quick response!

       

      The policies applied with your settings straight away. I checked the registry location where the ADMX backed policy is applied and the tuple structure makes sense because there is a value/data registry value pair for each item in the CSP policy data.

       

       

      • llorencVB's avatar
        llorencVB
        Copper Contributor
        Oct 09, 2018

        Hi,

         

        I'm facing the same problem. One quick question, are you using the String (XML file) type or the String type when setting the custom Settings?

         

        When using the String (XML file) I'm getting an error when saving the profile.

         

        Thanks in Advance,

         

Resources