Forum Discussion

Iron Contributor

Sep 11, 2018

Solved

Custom Policy CSP for NCSC Guidance for Windows 10

The NCSC Guidance for Deploying Intune managed Windows 10 clients (https://www.ncsc.gov.uk/guidance/eud-guidance-windows-10-1803-mobile-device-management) lists two custom OMA-URI settings that block...

CSP

Intune

windows 10

Oliver Kieselbach
Sep 11, 2018
Hi Andrew,

you need to specify the list elements slightly different. Every list element must be specified as a tuple with the official separator and then it is working. e.g. instead of PCI\CC_0C0A you must specify PCI\CC_0C0APCI\CC_0C0A. In addition the retroactive values must be true or false.

./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

<enabled/>

<data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0APCI\CC_0C0A"/>

<data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/>

./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

<enabled/>

<data id="DeviceInstall_Classes_Deny_List" value="

{d48179be-ec20-11d1-b6b8-00c04fa372a7}{d48179be-ec20-11d1-b6b8-00c04fa372a7}{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}{c06ff265-ae09-48f0-812c-16753d7cba83}{c06ff265-ae09-48f0-812c-16753d7cba83}{6bdd1fc1-810f-11d0-bec7-08002be2092f}{6bdd1fc1-810f-11d0-bec7-08002be2092f}"/>

<data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/>

this applies successfully on my devices.

best,
Oliver

Oliver Kieselbach

MVP

Sep 11, 2018

Hi Andrew,

you need to specify the list elements slightly different. Every list element must be specified as a tuple with the official separator and then it is working. e.g. instead of PCI\CC_0C0A you must specify PCI\CC_0C0APCI\CC_0C0A. In addition the retroactive values must be true or false.

./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

<data id="DeviceInstall_Classes_Deny_List" value="

{d48179be-ec20-11d1-b6b8-00c04fa372a7}{d48179be-ec20-11d1-b6b8-00c04fa372a7}{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}{c06ff265-ae09-48f0-812c-16753d7cba83}{c06ff265-ae09-48f0-812c-16753d7cba83}{6bdd1fc1-810f-11d0-bec7-08002be2092f}{6bdd1fc1-810f-11d0-bec7-08002be2092f}"/>

this applies successfully on my devices.

best,
Oliver

Andrew Matthews

Iron Contributor

Sep 12, 2018

Thanks for your help and very quick response!

The policies applied with your settings straight away. I checked the registry location where the ADMX backed policy is applied and the tuple structure makes sense because there is a value/data registry value pair for each item in the CSP policy data.

llorencVB
Copper Contributor
Oct 09, 2018
Hi,

I'm facing the same problem. One quick question, are you using the String (XML file) type or the String type when setting the custom Settings?

When using the String (XML file) I'm getting an error when saving the profile.

Thanks in Advance,
- Oliver Kieselbach
  MVP
  Oct 09, 2018
  Hi,
  
  You have to use type String. Not the type String (XML). That‘s how it is supposed to be configured.
  
  Best,
  Oliver
  - llorencVB
    Copper Contributor
    Oct 11, 2018
    Hi Oliver,
    
    One last question, as I'm following also the NCSC Guidance.
    
    How did you configured the autoplay settings with MDM? I'm assuming that those are String (XML).
    
    All the NCSC guide, set String XML for almost all the policies (even the previous one)