Policy CSP - ADMX_DeviceInstallation
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
DeviceInstall_AllowAdminInstall
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall
This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.
If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device.
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or don't configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DeviceInstall_AllowAdminInstall |
| Friendly Name | Allow administrators to override Device Installation Restriction policies |
| Location | Computer Configuration |
| Path | System > Device Installation > Device Installation Restrictions |
| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
| Registry Value Name | AllowAdminInstall |
| ADMX File Name | DeviceInstallation.admx |
DeviceInstall_DeniedPolicy_DetailText
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText
This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation.
If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation.
If you disable or don't configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DeviceInstall_DeniedPolicy_DetailText |
| Friendly Name | Display a custom message when installation is prevented by a policy setting |
| Location | Computer Configuration |
| Path | System > Device Installation > Device Installation Restrictions |
| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy |
| ADMX File Name | DeviceInstallation.admx |
DeviceInstall_DeniedPolicy_SimpleText
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText
This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation.
If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.
If you disable or don't configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DeviceInstall_DeniedPolicy_SimpleText |
| Friendly Name | Display a custom message title when device installation is prevented by a policy setting |
| Location | Computer Configuration |
| Path | System > Device Installation > Device Installation Restrictions |
| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy |
| ADMX File Name | DeviceInstallation.admx |
DeviceInstall_InstallTimeout
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_InstallTimeout
This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete.
If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation.
If you disable or don't configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DeviceInstall_InstallTimeout |
| Friendly Name | Configure device installation time-out |
| Location | Computer Configuration |
| Path | System > Device Installation |
| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Settings |
| ADMX File Name | DeviceInstallation.admx |
DeviceInstall_Policy_RebootTime
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime
This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.
If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot.
If you disable or don't configure this policy setting, the system doesn't force a reboot.
Note
If no reboot is forced, the device installation restriction right won't take effect until the system is restarted.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DeviceInstall_Policy_RebootTime |
| Friendly Name | Time (in seconds) to force reboot when required for policy changes to take effect |
| Location | Computer Configuration |
| Path | System > Device Installation > Device Installation Restrictions |
| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
| Registry Value Name | ForceReboot |
| ADMX File Name | DeviceInstallation.admx |
DeviceInstall_Removable_Deny
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_Removable_Deny
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.
Note
To enable the "Allow installation of devices using drivers that match these device setup classes", "Allow installation of devices that match any of these device IDs", and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices can't have their drivers updated.
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
If you disable or don't configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DeviceInstall_Removable_Deny |
| Friendly Name | Prevent installation of removable devices |
| Location | Computer Configuration |
| Path | System > Device Installation > Device Installation Restrictions |
| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
| Registry Value Name | DenyRemovableDevices |
| ADMX File Name | DeviceInstallation.admx |
DeviceInstall_SystemRestore
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_SystemRestore
This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity.
If you enable this policy setting, Windows doesn't create a system restore point when one would normally be created.
If you disable or don't configure this policy setting, Windows creates a system restore point as it normally would.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DeviceInstall_SystemRestore |
| Friendly Name | Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point |
| Location | Computer Configuration |
| Path | System > Device Installation |
| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Settings |
| Registry Value Name | DisableSystemRestore |
| ADMX File Name | DeviceInstallation.admx |
DriverInstall_Classes_AllowUser
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041.1202] and later ✅ Windows 10, version 2009 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser
This policy setting specifies a list of device setup class GUIDs describing driver packages that non-administrator members of the built-in Users group may install on the system.
If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store.
If you disable or don't configure this policy setting, only members of the Administrators group are allowed to install new driver packages on the system.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DriverInstall_Classes_AllowUser |
| Friendly Name | Allow non-administrators to install drivers for these device setup classes |
| Location | Computer Configuration |
| Path | System > Driver Installation |
| Registry Key Name | Software\Policies\Microsoft\Windows\DriverInstall\Restrictions |
| Registry Value Name | AllowUserDeviceClasses |
| ADMX File Name | DeviceInstallation.admx |
Related articles
Feedback
Binnenkort beschikbaar: In de loop van 2024 zullen we GitHub-problemen geleidelijk uitfaseren als het feedbackmechanisme voor inhoud en deze vervangen door een nieuw feedbacksysteem. Zie voor meer informatie: https://aka.ms/ContentUserFeedback.
Feedback verzenden en weergeven voor