共用方式為


Win32 和 傳統型橋接器 應用程式 ADMX 原則擷取

概觀

您可以在 ADMX 擷取) (內嵌 ADMX 檔案,並在桌面 SKU 上使用 Windows Mobile 裝置管理 (MDM) ,為 Win32 和 傳統型橋接器 應用程式設定這些 ADMX 原則。 定義原則資訊的 ADMX 檔案可以使用原則 CSP URI 擷取到您的裝置。 ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall 擷取的 ADMX 檔案接著會處理到 MDM 原則中。

支援從下列 Windows 版本 Replace 指令開始:

  • Windows 10 版本 1903,需安裝 KB4512941 和 KB4517211
  • 已安裝 KB4512534和 KB 的 Windows 10 版本 1809
  • Windows 10,已安裝 KB4512509 和 KB 的 1803 版
  • Windows 10,已安裝 KB4516071 和 KB 的 1709 版

擷取 ADMX 原則時,會檢查每個原則所寫入的登錄機碼,以免覆寫現有收件匣原則或系統元件所使用的已知系統登錄機碼或登錄機碼。 此預防措施有助於避免開啟整個登錄的安全性顧慮。 目前,擷取的原則不允許寫入至 System、Software \MicrosoftSoftware\Policies\Microsoft 密鑰內的位置,但下列位置除外:

  • Software\Policies\Microsoft\Office\
  • Software\Microsoft\Office\
  • Software\Microsoft\Windows\CurrentVersion\Explorer\
  • Software\Microsoft\Internet Explorer\
  • software\policies\microsoft\shared tools\proofing tools\
  • software\policies\microsoft\imejp\
  • software\policies\microsoft\ime\shared\
  • software\policies\microsoft\shared tools\graphics filters\
  • software\policies\microsoft\windows\currentversion\explorer\
  • software\policies\microsoft\softwareprotectionplatform\
  • software\policies\microsoft\officeoftwareprotectionplatform\
  • software\policies\microsoft\windows\windows search\preferences\
  • software\policies\microsoft\exchange\
  • software\microsoft\shared tools\proofing tools\
  • software\microsoft\shared tools\graphics filters\
  • software\microsoft\windows\windows search\preferences\
  • software\microsoft\exchange\
  • software\policies\microsoft\vba\security\
  • software\microsoft\onedrive
  • software\Microsoft\Edge
  • Software\Microsoft\EdgeUpdate\

警告

某些操作系統元件具有內建功能,可檢查裝置的網域成員資格。 只有在裝置已加入網域時,MDM 才會強制執行已設定的原則值,否則不會。 不過,您仍然可以內嵌 ADMX 檔案並設定 ADMX 原則,而不論裝置是已加入網域還是未加入網域。

注意

無法使用自定義原則擷取設定的設定必須透過直接推送適當的登錄機碼來設定 (例如,使用 PowerShell 腳本) 。

內嵌應用程式 ADMX 檔案

下列 ADMX 檔案範例示範如何內嵌 Win32 或 傳統型橋接器 應用程式 ADMX 檔案,並從檔案設定原則。 ADMX 檔案會定義八個原則。

承載

<policyDefinitions revision="1.0" schemaVersion="1.0">
  <categories>
    <category name="ParentCategoryArea"/>
    <category name="Category1">
      <parentCategory ref="ParentCategoryArea" />
    </category>
    <category name="Category2">
      <parentCategory ref="ParentCategoryArea" />
    </category>
    <category name="Category3">
      <parentCategory ref="Category2" />
    </category>
  </categories>
  <policies>
    <policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode">
      <parentCategory ref="Category1" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
      <elements>
        <text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" />
        <text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" />
      </elements>
    </policy>
    <policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode">
      <parentCategory ref="Category1" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
    <policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp">
      <parentCategory ref="Category1" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <elements>
        <enum id="L_PolicySipCompression" valueName="sipcompression">
          <item displayName="$(string.L_SipCompressionVal0)">
            <value>
              <decimal value="0" />
            </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal1)">
            <value>
              <decimal value="1" />
            </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal2)">
            <value>
              <decimal value="2" />
            </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal3)">
            <value>
              <decimal value="3" />
            </value>
          </item>
        </enum>
      </elements>
    </policy>
    <policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun">
      <parentCategory ref="Category1" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
    <policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp">
      <parentCategory ref="Category2" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <elements>
        <text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" />
      </elements>
    </policy>
    <policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp">
      <parentCategory ref="Category2" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <elements>
        <enum id="L_PolicySipCompression" valueName="sipcompression">
          <item displayName="$(string.L_SipCompressionVal0)">
            <value>
              <decimal value="0" />
            </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal1)">
            <value>
              <decimal value="1" />
            </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal2)">
            <value>
              <decimal value="2" />
            </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal3)">
            <value>
              <decimal value="3" />
            </value>
          </item>
        </enum>
      </elements>
    </policy>
    <policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
      <parentCategory ref="Category3" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
    <policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp">
      <parentCategory ref="Category3" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <elements>
        <decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" />
      </elements>
    </policy>
  </policies>
</policyDefinitions>

要求 Syncml

ADMX 檔案會逸出,並透過原則 CSP URI 以 SyncML 格式傳送。 ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName} 匯入 ADMX 檔案時,每個新原則的原則狀態與一般 MDM 原則中的原則狀態相同:[已啟用]、[停用] 或 [未設定]。

下列範例顯示 SyncML 格式的 ADMX 檔案:

<SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Add>
      <CmdID>102</CmdID>
      <Item>
        <Meta>
          <Format>chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Target>
          <LocURI>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01</LocURI>
        </Target>
        <Data>
        <![CDATA[<policyDefinitions revision="1.0" schemaVersion="1.0">
          <categories>
          <category name="ParentCategoryArea"/>
          <category name="Category1">
          <parentCategory ref="ParentCategoryArea" />
          </category>
          <category name="Category2">
          <parentCategory ref="ParentCategoryArea" />
          </category>
          <category name="Category3">
          <parentCategory ref="Category2" />
          </category>
          </categories>
          <policies>
          <policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode">
          <parentCategory ref="Category1" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <enabledValue>
          <decimal value="1" />
          </enabledValue>
          <disabledValue>
          <decimal value="0" />
          </disabledValue>
          <elements>
          <text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" />
          <text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" />
          </elements>
          </policy>
          <policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode">
          <parentCategory ref="Category1" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <enabledValue>
          <decimal value="1" />
          </enabledValue>
          <disabledValue>
          <decimal value="0" />
          </disabledValue>
          </policy>
          <policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp">
          <parentCategory ref="Category1" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <elements>
          <enum id="L_PolicySipCompression" valueName="sipcompression">
          <item displayName="$(string.L_SipCompressionVal0)">
          <value>
          <decimal value="0" />
          </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal1)">
          <value>
          <decimal value="1" />
          </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal2)">
          <value>
          <decimal value="2" />
          </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal3)">
          <value>
          <decimal value="3" />
          </value>
          </item>
          </enum>
          </elements>
          </policy>
          <policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun">
          <parentCategory ref="Category1" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <enabledValue>
          <decimal value="1" />
          </enabledValue>
          <disabledValue>
          <decimal value="0" />
          </disabledValue>
          </policy>
          <policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp">
          <parentCategory ref="Category2" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <elements>
          <text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" />
          </elements>
          </policy>
          <policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp">
          <parentCategory ref="Category2" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <elements>
          <enum id="L_PolicySipCompression" valueName="sipcompression">
          <item displayName="$(string.L_SipCompressionVal0)">
          <value>
          <decimal value="0" />
          </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal1)">
          <value>
          <decimal value="1" />
          </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal2)">
          <value>
          <decimal value="2" />
          </value>
          </item>
          <item displayName="$(string.L_SipCompressionVal3)">
          <value>
          <decimal value="3" />
          </value>
          </item>
          </enum>
          </elements>
          </policy>
          <policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
          <parentCategory ref="Category3" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <enabledValue>
          <decimal value="1" />
          </enabledValue>
          <disabledValue>
          <decimal value="0" />
          </disabledValue>
          </policy>
          <policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp">
          <parentCategory ref="Category3" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <elements>
          <decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" />
          </elements>
          </policy>
          </policies>
          </policyDefinitions>]]>
        </Data>
      </Item>
    </Add>
    <Final/>
  </SyncBody>
</SyncML>

回應 Syncml

<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>102</CmdRef><Cmd>Add</Cmd><Data>200</Data></Status>

設定應用程式原則的 URI 格式

下列範例示範如何衍生 Win32 或 傳統型橋接器 應用程式原則名稱和原則區域名稱:

<categories>
    <category name="ParentCategoryArea"/>
    <category name="Category1">
      <parentCategory ref="ParentCategoryArea" />
    </category>
    <category name="Category2">
      <parentCategory ref="ParentCategoryArea" />
    </category>
    <category name="Category3">
      <parentCategory ref="Category2" />
    </category>
  </categories>
<policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
      <parentCategory ref="Category3" />
      <supportedOn ref="windows:SUPPORTED_Windows7" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>

如原則 CSP 中所述,透過原則 CSP 設定原則的 URI 格式為: ./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}

使用者或裝置原則

在原則類別中,屬性會定義為 「User」 ,而 URI 前面會加上 ./user。 如果屬性值為 「Machine」 則 URI 前面會加上 ./device。 如果屬性值為 「Both」 則可以將原則設定為使用者或裝置原則。

原則 {AreaName} 格式為 {AppName}~{SettingType}~{CategoryPathFromAdmx}。 {AppName} 和 {SettingType} 衍生自用來匯入 ADMX 檔案的 URI。 在此範例中,URI 是: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01

{CategoryPathFromAdmx} 是透過周遊 parentCategory 参數來衍生。 在此範例中,{CategoryPathFromAdmx} 是 ParentCategoryArea~Category2~Category3。 因此,{AreaName} 是 ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3。

因此,從範例中:

  • 類: User
  • 原則名稱: L_PolicyPreventRun_1
  • 原則區域名稱: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3
  • Uri: ./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1

ADMX 支援的應用程式原則範例

下列範例說明如何設定ADMX內嵌的應用程式原則。

啟用應用程式原則

承載

<enabled/>
<data id="L_ServerAddressInternal_VALUE" value="TextValue1"/>
<data id="L_ServerAddressExternal_VALUE" value="TextValue2"/>

要求 Syncml

<SyncML xmlns="SYNCML:SYNCML1.1">
  <SyncBody>
    <Replace>
      <CmdID>103</CmdID>
      <Item>
        <Meta>
          <Format>chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Target>
          <LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
        </Target>
        <Data><![CDATA[<enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/>]]></Data>
      </Item>
    </Replace>
    <Final/>
  </SyncBody>
</SyncML>

回應 SyncML

<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>103</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status>

停用應用程式原則

承載

<disabled/>

要求 SyncML

<SyncML xmlns="SYNCML:SYNCML1.1">
  <SyncBody>
    <Replace>
      <CmdID>104</CmdID>
      <Item>
        <Meta>
          <Format>chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Target>
          <LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
        </Target>
        <Data><![CDATA[<disabled/>]]></Data>
      </Item>
    </Replace>
    <Final/>
  </SyncBody>
</SyncML>

回應 SyncML

<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>104</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status>

將應用程式原則設定為未設定

承載

(無)

要求 SyncML

<SyncML xmlns="SYNCML:SYNCML1.1">
  <SyncBody>
    <Delete>
      <CmdID>105</CmdID>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
        </Target>
      </Item>
    </Delete>
    <Final/>
  </SyncBody>
</SyncML>

回應 SyncML

<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>105</CmdRef><Cmd>Delete</Cmd><Data>200</Data></Status>