Inserimento di criteri ADMX dell'app Win32 e Desktop Bridge
Panoramica
È possibile inserire file ADMX (inserimento ADMX) e impostare i criteri ADMX per le app Win32 e Desktop Bridge usando Windows Mobile Gestione dispositivi (MDM) negli SKU desktop. I file ADMX che definiscono le informazioni sui criteri possono essere inseriti nel dispositivo usando l'URI CSP dei criteri, ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Il file ADMX inserito viene quindi elaborato in criteri MDM.
A partire dal comando versioni di Replace Windows seguente è supportato:
- Windows 10, versione 1903 con KB4512941 e KB4517211 installati
- Windows 10, versione 1809 con KB4512534 e KB installati
- Windows 10 versione 1803 con KB4512509 e KB installati
- Windows 10 versione 1709 con KB4516071 e KB installati
Quando vengono inseriti i criteri ADMX, le chiavi del Registro di sistema in cui vengono scritti i criteri vengono controllate in modo che le chiavi note del Registro di sistema o le chiavi del Registro di sistema usate dai criteri di posta in arrivo o dai componenti di sistema esistenti non vengano sovrascritte. Questa precauzione consente di evitare problemi di sicurezza relativi all'apertura dell'intero registro. Attualmente, i criteri inseriti non sono autorizzati a scrivere in posizioni all'interno delle chiavi System, Software\Microsoft e Software\Policies\Microsoft , ad eccezione delle posizioni seguenti:
- Software\Policies\Microsoft\Office\
- Software\Microsoft\Office\
- Software\Microsoft\Windows\CurrentVersion\Explorer\
- Software\Microsoft\Internet Explorer\
- software\policies\microsoft\shared tools\proofing tools\
- software\policies\microsoft\imejp\
- software\policies\microsoft\ime\shared\
- software\policies\microsoft\shared tools\graphics filters\
- software\policies\microsoft\windows\currentversion\explorer\
- software\policies\microsoft\softwareprotectionplatform\
- software\policies\microsoft\officesoftwareprotectionplatform\
- software\policies\microsoft\windows\windows search\preferences\
- software\policies\microsoft\exchange\
- software\microsoft\shared tools\proofing tools\
- software\microsoft\shared tools\graphics filters\
- software\microsoft\windows\windows search\preferences\
- software\microsoft\exchange\
- software\policies\microsoft\vba\security\
- software\microsoft\onedrive
- software\Microsoft\Edge
- Software\Microsoft\EdgeUpdate\
Warning
Alcuni componenti del sistema operativo hanno funzionalità predefinite per controllare l'appartenenza al dominio dei dispositivi. MDM applica i valori dei criteri configurati solo se i dispositivi sono aggiunti a un dominio, in caso contrario. Tuttavia, è comunque possibile inserire file ADMX e impostare criteri ADMX indipendentemente dal fatto che il dispositivo sia aggiunto a un dominio o non aggiunto a un dominio.
Nota
Le impostazioni che non possono essere configurate tramite l'inserimento di criteri personalizzati devono essere impostate tramite il push diretto delle chiavi del Registro di sistema appropriate, ad esempio tramite script di PowerShell.
Inserimento di un file ADMX dell'app
Nell'esempio di file ADMX seguente viene illustrato come inserire un file ADMX dell'app Win32 o Desktop Bridge e impostare i criteri dal file. Il file ADMX definisce otto criteri.
Payload:
<policyDefinitions revision="1.0" schemaVersion="1.0">
<categories>
<category name="ParentCategoryArea"/>
<category name="Category1">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category2">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category3">
<parentCategory ref="Category2" />
</category>
</categories>
<policies>
<policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
<elements>
<text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" />
<text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" />
</elements>
</policy>
<policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" />
</elements>
</policy>
<policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" />
</elements>
</policy>
</policies>
</policyDefinitions>
Request Syncml :Request Syncml:Request Syncml:
Il file ADMX viene sottoposto a escape e inviato in formato SyncML tramite l'URI CSP dei criteri, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}.
Quando il file ADMX viene importato, gli stati dei criteri per ogni nuovo criterio sono gli stessi di quelli in un normale criterio MDM: Abilitato, Disabilitato o Non configurato.
L'esempio seguente mostra un file ADMX in formato SyncML:
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>102</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01</LocURI>
</Target>
<Data>
<![CDATA[<policyDefinitions revision="1.0" schemaVersion="1.0">
<categories>
<category name="ParentCategoryArea"/>
<category name="Category1">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category2">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category3">
<parentCategory ref="Category2" />
</category>
</categories>
<policies>
<policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
<elements>
<text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" />
<text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" />
</elements>
</policy>
<policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" />
</elements>
</policy>
<policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" />
</elements>
</policy>
</policies>
</policyDefinitions>]]>
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
Response Syncml:
<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>102</CmdRef><Cmd>Add</Cmd><Data>200</Data></Status>
Formato URI per la configurazione di criteri dell'app
L'esempio seguente illustra come derivare un nome di criteri dell'app Win32 o Desktop Bridge e un nome dell'area criteri:
<categories>
<category name="ParentCategoryArea"/>
<category name="Category1">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category2">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category3">
<parentCategory ref="Category2" />
</category>
</categories>
<policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
Come illustrato in Policy CSP, il formato URI per configurare un criterio tramite Policy CSP è: ./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}.
Criteri utente o dispositivo:
Nella classe di criteri l'attributo è definito come "User" e l'URI è preceduto ./userda .
Se il valore dell'attributo è "Machine", l'URI ha il prefisso ./device.
Se il valore dell'attributo è "Entrambi", i criteri possono essere configurati come utente o come criterio dispositivo.
Il formato del criterio {AreaName} è {AppName}~{SettingType}~{CategoryPathFromAdmx}.
{AppName} e {SettingType} derivano dall'URI usato per importare il file ADMX. In questo esempio l'URI è: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01.
{CategoryPathFromAdmx} deriva dall'attraversamento del parametro parentCategory. In questo esempio{CategoryPathFromAdmx} è ParentCategoryArea~Category2~Category3. {AreaName} è pertanto ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3.
Di conseguenza, dall'esempio:
- Classe:
User - Nome criterio:
L_PolicyPreventRun_1 - Nome area criteri:
ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 - URI:
./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1
Esempi di criteri di app supportati da ADMX
Gli esempi seguenti descrivono come impostare criteri di app inseriti da ADMX.
Abilitazione dei criteri di un'app
Payload:
<enabled/>
<data id="L_ServerAddressInternal_VALUE" value="TextValue1"/>
<data id="L_ServerAddressExternal_VALUE" value="TextValue2"/>
Request Syncml :Request Syncml:Request Syncml:
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>103</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
</Target>
<Data><![CDATA[<enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/>]]></Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
Response SyncML:
<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>103</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status>
Disabilitazione dei criteri di un'app
Payload:
<disabled/>
Richiedi SyncML:
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>104</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
</Target>
<Data><![CDATA[<disabled/>]]></Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
Response SyncML:
<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>104</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status>
Impostazione di un criterio dell'app su non configurato
Payload:
(Nessuna)
Richiedi SyncML:
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Delete>
<CmdID>105</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
Response SyncML:
<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>105</CmdRef><Cmd>Delete</Cmd><Data>200</Data></Status>
Commenti e suggerimenti
Presto disponibile: Nel corso del 2024 verranno gradualmente disattivati i problemi di GitHub come meccanismo di feedback per il contenuto e ciò verrà sostituito con un nuovo sistema di feedback. Per altre informazioni, vedere https://aka.ms/ContentUserFeedback.
Invia e visualizza il feedback per