SOLVED

Custom Policy CSP for NCSC Guidance for Windows 10

Iron Contributor

The NCSC Guidance for Deploying Intune managed Windows 10 clients (HERE) lists two custom OMA-URI settings that block unwanted devices from being installed. 

 

./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

 

Unfortunately the policy JSON that the NCSC supply is missing these settings. I tried to create the SyncML for both IDs using guidance from the Internet but I get a catastrophic failure error message in the logs and the policies do not apply. 

 

The settings that I have used are 

 

./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

 

<enabled/>
<data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0A"/>
<data id="DeviceInstall_IDs_Deny_Retroactive" value="1"/>

 

./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

 

<enabled/>
<data id="DeviceInstall_Classes_Deny_Retroactive" value="1"/>
<data id="DeviceInstall_Classes_Deny_List" value="{d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}"/>

 

Has anyone successfully applied these settings using a custom device configuration policy? If so where am I going wrong?

Any assistance will be gratefully received

 

8 Replies
best response confirmed by Andrew Matthews (Iron Contributor)
Solution

Hi Andrew,

 

you need to specify the list elements slightly different. Every list element must be specified as a tuple with the official separator and then it is working. e.g. instead of PCI\CC_0C0A you must specify PCI\CC_0C0A&#xF000;PCI\CC_0C0A. In addition the retroactive values must be true or false.

 

./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

 

<enabled/>

<data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0A&#xF000;PCI\CC_0C0A"/>

<data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/>

 

./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

 

<enabled/>

<data id="DeviceInstall_Classes_Deny_List" value="

{d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}"/>
<data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/>
 
this applies successfully on my devices.
 
SNAG-0009.png
 
best,
Oliver

Thanks for your help and very quick response!

 

The policies applied with your settings straight away. I checked the registry location where the ADMX backed policy is applied and the tuple structure makes sense because there is a value/data registry value pair for each item in the CSP policy data.

 

 

Hi,

 

I'm facing the same problem. One quick question, are you using the String (XML file) type or the String type when setting the custom Settings?

 

When using the String (XML file) I'm getting an error when saving the profile.

 

Thanks in Advance,

 

Hi,

You have to use type String. Not the type String (XML). That‘s how it is supposed to be configured.

Best,
Oliver

Hi Oliver,

 

One last question, as I'm following also the NCSC Guidance.

 

How did you configured the autoplay settings with MDM? I'm assuming that those are String (XML).

 

All the NCSC guide, set String XML for almost all the policies (even the previous one)

Hi,

 

it's a bit misleading they write String (XML) but they mean data type string and use the XML string as value. Later in the guide they write String (XML file) and there they really mean String (XML file). Treat all String (XML) entries as data type String.

 

Your TrunOffAutoPlay example:

 

./User/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay
String:
<enabled/><data id="Autorun_Box" value="255">

 

best,

Oliver

Thanks again,

 

very helpful comment! ;)

1 best response

Accepted Solutions
best response confirmed by Andrew Matthews (Iron Contributor)
Solution

Hi Andrew,

 

you need to specify the list elements slightly different. Every list element must be specified as a tuple with the official separator and then it is working. e.g. instead of PCI\CC_0C0A you must specify PCI\CC_0C0A&#xF000;PCI\CC_0C0A. In addition the retroactive values must be true or false.

 

./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs

 

<enabled/>

<data id="DeviceInstall_IDs_Deny_List" value="PCI\CC_0C0A&#xF000;PCI\CC_0C0A"/>

<data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/>

 

./Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

 

<enabled/>

<data id="DeviceInstall_Classes_Deny_List" value="

{d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{d48179be-ec20-11d1-b6b8-00c04fa372a7}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}&#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}"/>
<data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/>
 
this applies successfully on my devices.
 
SNAG-0009.png
 
best,
Oliver

View solution in original post