Policy CSP - Storage
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
AllowDiskHealthModelUpdates
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/AllowDiskHealthModelUpdates
Allows downloading new updates to ML Model parameters for predicting storage disk failure.
Enabled:
Updates would be downloaded for the Disk Failure Prediction Failure Model.
Disabled:
Updates wouldn't be downloaded for the Disk Failure Prediction Failure Model.
Not configured:
Same as Enabled.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 0 | Don't allow. |
| 1 (Default) | Allow. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | SH_AllowDiskHealthModelUpdates |
| Friendly Name | Allow downloading updates to the Disk Failure Prediction Model |
| Location | Computer Configuration |
| Path | System > Storage Health |
| Registry Key Name | Software\Policies\Microsoft\Windows\StorageHealth |
| Registry Value Name | AllowDiskHealthModelUpdates |
| ADMX File Name | StorageHealth.admx |
AllowStorageSenseGlobal
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1903 [10.0.18362] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal
Storage Sense can automatically clean some of the user's files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence" group policy.
Enabled:
Storage Sense is turned on for the machine, with the default cadence as 'during low free disk space'. Users can't disable Storage Sense, but they can adjust the cadence (unless you also configure the "Configure Storage Sense cadence" group policy).
Disabled:
Storage Sense is turned off the machine. Users can't enable Storage Sense.
Not Configured:
By default, Storage Sense is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 1 | Allow. |
| 0 (Default) | Block. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | SS_AllowStorageSenseGlobal |
| Friendly Name | Allow Storage Sense |
| Location | Computer Configuration |
| Path | System > Storage Sense |
| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense |
| Registry Value Name | AllowStorageSenseGlobal |
| ADMX File Name | StorageSense.admx |
AllowStorageSenseTemporaryFilesCleanup
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1903 [10.0.18362] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseTemporaryFilesCleanup
When Storage Sense runs, it can delete the user's temporary files that aren't in use.
If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect.
Enabled:
Storage Sense will delete the user's temporary files that aren't in use. Users can't disable this setting in Storage settings.
Disabled:
Storage Sense won't delete the user's temporary files. Users can't enable this setting in Storage settings.
Not Configured:
By default, Storage Sense will delete the user's temporary files. Users can configure this setting in Storage settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
Allowed values:
| Value | Description |
|---|---|
| 1 (Default) | Allow. |
| 0 | Block. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | SS_AllowStorageSenseTemporaryFilesCleanup |
| Friendly Name | Allow Storage Sense Temporary Files cleanup |
| Location | Computer Configuration |
| Path | System > Storage Sense |
| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense |
| Registry Value Name | AllowStorageSenseTemporaryFilesCleanup |
| ADMX File Name | StorageSense.admx |
ConfigStorageSenseCloudContentDehydrationThreshold
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1903 [10.0.18362] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseCloudContentDehydrationThreshold
When Storage Sense runs, it can dehydrate cloud-backed content that hasn't been opened in a certain amount of days.
If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect.
Enabled:
You must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it from the sync root. Supported values are: 0 - 365.
If you set this value to zero, Storage Sense won't dehydrate any cloud-backed content. The default value is 0, or never dehydrating cloud-backed content.
Disabled or Not Configured:
By default, Storage Sense won't dehydrate any cloud-backed content. Users can configure this setting in Storage settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-365] |
| Default Value | 0 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | SS_ConfigStorageSenseCloudContentDehydrationThreshold |
| Friendly Name | Configure Storage Sense Cloud Content dehydration threshold |
| Location | Computer Configuration |
| Path | System > Storage Sense |
| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense |
| ADMX File Name | StorageSense.admx |
ConfigStorageSenseDownloadsCleanupThreshold
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1903 [10.0.18362] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseDownloadsCleanupThreshold
When Storage Sense runs, it can delete files in the user's Downloads folder if they haven't been opened for more than a certain number of days.
If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect.
Enabled:
You must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from Downloads folder. Supported values are: 0 - 365.
If you set this value to zero, Storage Sense won't delete files in the user's Downloads folder. The default is 0, or never deleting files in the Downloads folder.
Disabled or Not Configured:
By default, Storage Sense won't delete files in the user's Downloads folder. Users can configure this setting in Storage settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-365] |
| Default Value | 0 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | SS_ConfigStorageSenseDownloadsCleanupThreshold |
| Friendly Name | Configure Storage Storage Downloads cleanup threshold |
| Location | Computer Configuration |
| Path | System > Storage Sense |
| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense |
| ADMX File Name | StorageSense.admx |
ConfigStorageSenseGlobalCadence
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1903 [10.0.18362] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseGlobalCadence
Storage Sense can automatically clean some of the user's files to free up disk space.
If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect.
Enabled:
You must provide the desired Storage Sense cadence. Supported options are: daily, weekly, monthly, and during low free disk space. The default is 0 (during low free disk space).
Disabled or Not Configured:
By default, the Storage Sense cadence is set to "during low free disk space". Users can configure this setting in Storage settings.
Use the following integer values for the supported options:
0: During low free disk space (default)1: Daily7: Weekly30: Monthly
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-4294967295] |
| Default Value | 0 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | SS_ConfigStorageSenseGlobalCadence |
| Friendly Name | Configure Storage Sense cadence |
| Location | Computer Configuration |
| Path | System > Storage Sense |
| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense |
| ADMX File Name | StorageSense.admx |
ConfigStorageSenseRecycleBinCleanupThreshold
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1903 [10.0.18362] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseRecycleBinCleanupThreshold
When Storage Sense runs, it can delete files in the user's Recycle Bin if they've been there for over a certain amount of days.
If the group policy "Allow Storage Sense" is disabled, then this policy doesn't have any effect.
Enabled:
You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0 - 365.
If you set this value to zero, Storage Sense won't delete files in the user's Recycle Bin. The default is 30 days.
Disabled or Not Configured:
By default, Storage Sense will delete files in the user's Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-365] |
| Default Value | 30 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | SS_ConfigStorageSenseRecycleBinCleanupThreshold |
| Friendly Name | Configure Storage Sense Recycle Bin cleanup threshold |
| Location | Computer Configuration |
| Path | System > Storage Sense |
| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense |
| ADMX File Name | StorageSense.admx |
EnhancedStorageDevices
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/EnhancedStorageDevices
This policy setting configures whether or not Windows will activate an Enhanced Storage device.
If you enable this policy setting, Windows won't activate unactivated Enhanced Storage devices.
If you disable or don't configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | TCGSecurityActivationDisabled |
| Friendly Name | Do not allow Windows to activate Enhanced Storage devices |
| Location | Computer Configuration |
| Path | System > Enhanced Storage Access |
| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices |
| Registry Value Name | TCGSecurityActivationDisabled |
| ADMX File Name | EnhancedStorage.admx |
RemovableDiskDenyWriteAccess
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess
This policy setting denies write access to removable disks.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or don't configure this policy setting, write access is allowed to this removable storage class.
Note
To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives".
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | RemovableDisks_DenyWrite_Access_2 |
| Friendly Name | Removable Disks: Deny write access |
| Location | Computer Configuration |
| Path | System > Removable Storage Access |
| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
| ADMX File Name | RemovableStorage.admx |
WPDDevicesDenyReadAccessPerDevice
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerDevice
This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or don't configure this policy setting, read access is allowed to this removable storage class.
This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
- Mass Storage Class (MSC) over USB.
Note
WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | WPDDevices_DenyRead_Access_2 |
| Friendly Name | WPD Devices: Deny read access |
| Location | Computer Configuration |
| Path | System > Removable Storage Access |
| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices{6AC27878-A6FA-4155-BA85-F98F491D4F33} |
| Registry Value Name | Deny_Read |
| ADMX File Name | RemovableStorage.admx |
WPDDevicesDenyReadAccessPerUser
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerUser
This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, read access is denied to this removable storage class.
If you disable or don't configure this policy setting, read access is allowed to this removable storage class.
This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
- Mass Storage Class (MSC) over USB.
Note
WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | WPDDevices_DenyRead_Access_1 |
| Friendly Name | WPD Devices: Deny read access |
| Location | User Configuration |
| Path | System > Removable Storage Access |
| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices{6AC27878-A6FA-4155-BA85-F98F491D4F33} |
| Registry Value Name | Deny_Read |
| ADMX File Name | RemovableStorage.admx |
WPDDevicesDenyWriteAccessPerDevice
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyWriteAccessPerDevice
This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or don't configure this policy setting, write access is allowed to this removable storage class.
This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
- Mass Storage Class (MSC) over USB.
Note
WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | WPDDevices_DenyWrite_Access_2 |
| Friendly Name | WPD Devices: Deny write access |
| Location | Computer Configuration |
| Path | System > Removable Storage Access |
| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices{6AC27878-A6FA-4155-BA85-F98F491D4F33} |
| Registry Value Name | Deny_Write |
| ADMX File Name | RemovableStorage.admx |
WPDDevicesDenyWriteAccessPerUser
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyWriteAccessPerUser
This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
If you enable this policy setting, write access is denied to this removable storage class.
If you disable or don't configure this policy setting, write access is allowed to this removable storage class.
This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth.
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth.
- Mass Storage Class (MSC) over USB.
Note
WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | WPDDevices_DenyWrite_Access_1 |
| Friendly Name | WPD Devices: Deny write access |
| Location | User Configuration |
| Path | System > Removable Storage Access |
| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices{6AC27878-A6FA-4155-BA85-F98F491D4F33} |
| Registry Value Name | Deny_Write |
| ADMX File Name | RemovableStorage.admx |