Sep 11 2018 05:58 AM
The NCSC Guidance for Deploying Intune managed Windows 10 clients (HERE) lists two custom OMA-URI settings that block unwanted devices from being installed.
./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
Unfortunately the policy JSON that the NCSC supply is missing these settings. I tried to create the SyncML for both IDs using guidance from the Internet but I get a catastrophic failure error message in the logs and the policies do not apply.
The settings that I have used are
./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
<enabled/>
<data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0A"/>
<data id="DeviceInstall_IDs_Deny_Retroactive" value="1"/>
./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
<enabled/>
<data id="DeviceInstall_Classes_Deny_Retroactive" value="1"/>
<data id="DeviceInstall_Classes_Deny_List" value="{d48179be-ec20-11d1-b6b8-00c04fa372a7}{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}{c06ff265-ae09-48f0-812c-16753d7cba83}{6bdd1fc1-810f-11d0-bec7-08002be2092f}"/>
Has anyone successfully applied these settings using a custom device configuration policy? If so where am I going wrong?
Any assistance will be gratefully received
Sep 11 2018 04:37 PM
SolutionHi Andrew,
you need to specify the list elements slightly different. Every list element must be specified as a tuple with the official separator and then it is working. e.g. instead of PCI\CC_0C0A you must specify PCI\CC_0C0APCI\CC_0C0A. In addition the retroactive values must be true or false.
./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
<enabled/>
<data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0APCI\CC_0C0A"/>
<data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/>
./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
<enabled/>
<data id="DeviceInstall_Classes_Deny_List" value="
Sep 12 2018 12:18 AM
Thanks for your help and very quick response!
The policies applied with your settings straight away. I checked the registry location where the ADMX backed policy is applied and the tuple structure makes sense because there is a value/data registry value pair for each item in the CSP policy data.
Oct 09 2018 08:25 AM
Hi,
I'm facing the same problem. One quick question, are you using the String (XML file) type or the String type when setting the custom Settings?
When using the String (XML file) I'm getting an error when saving the profile.
Thanks in Advance,
Oct 09 2018 08:32 AM
Oct 11 2018 02:57 AM
Hi Oliver,
One last question, as I'm following also the NCSC Guidance.
How did you configured the autoplay settings with MDM? I'm assuming that those are String (XML).
All the NCSC guide, set String XML for almost all the policies (even the previous one)
Oct 11 2018 03:12 AM
Hi,
it's a bit misleading they write String (XML) but they mean data type string and use the XML string as value. Later in the guide they write String (XML file) and there they really mean String (XML file). Treat all String (XML) entries as data type String.
Your TrunOffAutoPlay example:
./User/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay
String:
<enabled/><data id="Autorun_Box" value="255">
best,
Oliver
Oct 11 2018 03:38 AM
Thanks again,
very helpful comment! ;)
Sep 11 2018 04:37 PM
SolutionHi Andrew,
you need to specify the list elements slightly different. Every list element must be specified as a tuple with the official separator and then it is working. e.g. instead of PCI\CC_0C0A you must specify PCI\CC_0C0APCI\CC_0C0A. In addition the retroactive values must be true or false.
./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
<enabled/>
<data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0APCI\CC_0C0A"/>
<data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/>
./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
<enabled/>
<data id="DeviceInstall_Classes_Deny_List" value="