This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
AllowDiskHealthModelUpdates
Scope
Editions
Applicable OS
✅ Device ❌ User
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC
Storage Sense can automatically clean some of the user's files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence" group policy.
Enabled:
Storage Sense is turned on for the machine, with the default cadence as 'during low free disk space'. Users can't disable Storage Sense, but they can adjust the cadence (unless you also configure the "Configure Storage Sense cadence" group policy).
Disabled:
Storage Sense is turned off the machine. Users can't enable Storage Sense.
Not Configured:
By default, Storage Sense is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings.
Description framework properties:
Property name
Property value
Format
int
Access Type
Add, Delete, Get, Replace
Default Value
0
Allowed values:
Value
Description
1
Allow.
0 (Default)
Block.
Group policy mapping:
Name
Value
Name
SS_AllowStorageSenseGlobal
Friendly Name
Allow Storage Sense
Location
Computer Configuration
Path
System > Storage Sense
Registry Key Name
Software\Policies\Microsoft\Windows\StorageSense
Registry Value Name
AllowStorageSenseGlobal
ADMX File Name
StorageSense.admx
AllowStorageSenseTemporaryFilesCleanup
Scope
Editions
Applicable OS
✅ Device ❌ User
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC
When Storage Sense runs, it can dehydrate cloud-backed content that hasn't been opened in a certain amount of days.
If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect.
Enabled:
You must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it from the sync root. Supported values are: 0 - 365.
If you set this value to zero, Storage Sense won't dehydrate any cloud-backed content. The default value is 0, or never dehydrating cloud-backed content.
Disabled or Not Configured:
By default, Storage Sense won't dehydrate any cloud-backed content. Users can configure this setting in Storage settings.
When Storage Sense runs, it can delete files in the user's Downloads folder if they haven't been opened for more than a certain number of days.
If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect.
Enabled:
You must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from Downloads folder. Supported values are: 0 - 365.
If you set this value to zero, Storage Sense won't delete files in the user's Downloads folder. The default is 0, or never deleting files in the Downloads folder.
Disabled or Not Configured:
By default, Storage Sense won't delete files in the user's Downloads folder. Users can configure this setting in Storage settings.
Storage Sense can automatically clean some of the user's files to free up disk space.
If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect.
Enabled:
You must provide the desired Storage Sense cadence. Supported options are: daily, weekly, monthly, and during low free disk space. The default is 0 (during low free disk space).
Disabled or Not Configured:
By default, the Storage Sense cadence is set to "during low free disk space". Users can configure this setting in Storage settings.
Use the following integer values for the supported options:
0: During low free disk space (default)
1: Daily
7: Weekly
30: Monthly
Description framework properties:
Property name
Property value
Format
int
Access Type
Add, Delete, Get, Replace
Allowed Values
Range: [0-4294967295]
Default Value
0
Group policy mapping:
Name
Value
Name
SS_ConfigStorageSenseGlobalCadence
Friendly Name
Configure Storage Sense cadence
Location
Computer Configuration
Path
System > Storage Sense
Registry Key Name
Software\Policies\Microsoft\Windows\StorageSense
ADMX File Name
StorageSense.admx
ConfigStorageSenseRecycleBinCleanupThreshold
Scope
Editions
Applicable OS
✅ Device ❌ User
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC
When Storage Sense runs, it can delete files in the user's Recycle Bin if they've been there for over a certain amount of days.
If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect.
Enabled:
You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0 - 365.
If you set this value to zero, Storage Sense won't delete files in the user's Recycle Bin. The default is 30 days.
Disabled or Not Configured:
By default, Storage Sense will delete files in the user's Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings.
Description framework properties:
Property name
Property value
Format
int
Access Type
Add, Delete, Get, Replace
Allowed Values
Range: [0-365]
Default Value
30
Group policy mapping:
Name
Value
Name
SS_ConfigStorageSenseRecycleBinCleanupThreshold
Friendly Name
Configure Storage Sense Recycle Bin cleanup threshold
Location
Computer Configuration
Path
System > Storage Sense
Registry Key Name
Software\Policies\Microsoft\Windows\StorageSense
ADMX File Name
StorageSense.admx
EnhancedStorageDevices
Scope
Editions
Applicable OS
✅ Device ❌ User
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC
This policy setting denies write access to removable disks.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or don't configure this policy setting, write access is allowed to this removable storage class.
Notitie
To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives".
This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or don't configure this policy setting, read access is allowed to this removable storage class.
This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
Mass Storage Class (MSC) over USB.
Notitie
WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer.
Description framework properties:
Property name
Property value
Format
chr (string)
Access Type
Add, Delete, Get, Replace
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or don't configure this policy setting, read access is allowed to this removable storage class.
This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
Mass Storage Class (MSC) over USB.
Notitie
WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer.
Description framework properties:
Property name
Property value
Format
chr (string)
Access Type
Add, Delete, Get, Replace
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or don't configure this policy setting, write access is allowed to this removable storage class.
This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
Mass Storage Class (MSC) over USB.
Notitie
WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer.
Description framework properties:
Property name
Property value
Format
chr (string)
Access Type
Add, Delete, Get, Replace
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or don't configure this policy setting, write access is allowed to this removable storage class.
This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
Mass Storage Class (MSC) over USB.
Notitie
WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer.
Description framework properties:
Property name
Property value
Format
chr (string)
Access Type
Add, Delete, Get, Replace
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
This module describes how you can use Intune to create and manage WIP policies that manage this protection. The module also covers implementing BitLocker and Encrypting File System.
Demonstreert de basisprincipes van gegevensbeveiliging, levenscyclusbeheer, informatiebeveiliging en naleving om een Microsoft 365-implementatie te beschermen.
In dit artikel wordt de betekenis beschreven van CSP's, Open Mobile Alliance – Uniform Resources (OMA-URI's) en hoe aangepast MDM-beleid (Mobile Device Management) wordt geleverd aan een Windows 10-apparaat met Microsoft Intune.
Bekijk een lijst met alle instellingen en de bijbehorende beschrijvingen voor het maken van apparaatbeperkingen op Windows 10/11-clientapparaten. Gebruik deze instellingen in een configuratieprofiel om schermopnamen, wachtwoordvereisten, kioskinstellingen, apps in de Store, Microsoft Edge-browser, Microsoft Defender, toegang tot de cloud, startmenu en meer te beheren in Microsoft Intune.