概觀
你可以用 Windows Mobile 裝置管理 (桌面 SKU 上的 MDM) , (ADMX 檔案) ADMX 檔案設定 Win32 和 傳統型橋接器 應用程式的 ADMX 政策。 定義政策資訊的 ADMX 檔案可透過政策 CSP URI ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall將資料導入您的裝置。 接收到的 ADMX 檔案接著會被處理成 MDM 政策。
從以下 Windows 版本 Replace 開始支援指令:
- Windows 10 版本 1903,需安裝 KB4512941 和 KB4517211
- Windows 10 版本 1809安裝了 KB4512534 和 KB
- Windows 10,版本為 1803,安裝了 KB4512509 和 KB
- Windows 10,版本 1709,安裝了 KB4516071 和 KB
當 ADMX 政策被擷取時,會檢查每個政策所寫入的登錄檔金鑰,以確保已知的系統登錄鍵,或現有收件匣政策或系統元件使用的登錄鍵,不會被覆寫。 此預防措施有助於避免開啟整個登記冊時的安全疑慮。 目前,所接收的政策不允許寫入 系統、 軟體\Microsoft及 軟體\政策\Microsoft 鍵內的位置,僅允許以下位置:
- 軟體\政策\Microsoft\Office\
- 軟體\Microsoft\Office\
- Software\Microsoft\Windows\CurrentVersion\Explorer\
- 軟體\Microsoft\Internet Explorer\
- 軟體\政策\微軟\共享工具\校對工具\
- Software\Policies\Microsoft\iMEJP\
- 軟體\政策\Microsoft\ime\共享\
- 軟體\政策\Microsoft\共享工具\圖形濾鏡\
- Software\Policies\Microsoft\Windows\Currentversion\Explorer\
- 軟體\政策\Microsoft\SoftwareProtectionPlatform\
- 軟體\政策\Microsoft\Office軟體保護平台\
- 軟體\政策\Microsoft\Windows\Windows 搜尋\偏好設定\
- 軟體\政策\Microsoft\exchange\
- 軟體\微軟\共享工具\校對工具\
- 軟體\Microsoft\共享工具\圖形濾鏡\
- 軟體\Microsoft\Windows\Windows 搜尋\偏好設定\
- 軟體\Microsoft\Exchange\
- 軟體\政策\微軟\VBA\安全\
- 軟體\Microsoft\OneDrive
- software\Microsoft\Edge
- Software\Microsoft\EdgeUpdate\
- Software\Microsoft\VisualStudio
- Software\Policies\Microsoft\VisualStudio
警告
部分作業系統元件內建功能可檢查裝置的網域成員資格。 MDM 只有在裝置已加入網域時才會強制執行設定的政策值,否則不會。 不過,無論裝置是網域加入還是非網域加入,你仍然可以匯入 ADMX 檔案並設定 ADMX 政策。
注意
無法透過自訂政策擷取設定的設定,必須直接推送適當的登錄檔金鑰 (,例如使用 PowerShell 腳本) 來設定。
匯入應用程式的 ADMX 檔案
以下的 ADMX 檔案範例說明如何從該檔案中擷取 Win32 或傳統型橋接器應用程式的 ADMX 檔案並設定政策。 ADMX 檔案定義了八種政策。
有效載荷:
<policyDefinitions revision="1.0" schemaVersion="1.0">
<categories>
<category name="ParentCategoryArea"/>
<category name="Category1">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category2">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category3">
<parentCategory ref="Category2" />
</category>
</categories>
<policies>
<policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
<elements>
<text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" />
<text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" />
</elements>
</policy>
<policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" />
</elements>
</policy>
<policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" />
</elements>
</policy>
</policies>
</policyDefinitions>
請求 Syncml:
ADMX 檔案會脫離並透過政策 CSP URI ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}以 SyncML 格式傳送。
當 ADMX 檔案匯入時,每個新政策的政策狀態與一般 MDM 政策相同:啟用、停用或未設定。
以下範例展示了一個 SyncML 格式的 ADMX 檔案:
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>102</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01</LocURI>
</Target>
<Data>
<![CDATA[<policyDefinitions revision="1.0" schemaVersion="1.0">
<categories>
<category name="ParentCategoryArea"/>
<category name="Category1">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category2">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category3">
<parentCategory ref="Category2" />
</category>
</categories>
<policies>
<policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
<elements>
<text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" />
<text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" />
</elements>
</policy>
<policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category1" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" />
</elements>
</policy>
<policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category2" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<enum id="L_PolicySipCompression" valueName="sipcompression">
<item displayName="$(string.L_SipCompressionVal0)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal1)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal2)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.L_SipCompressionVal3)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
</elements>
</policy>
<policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" />
</elements>
</policy>
</policies>
</policyDefinitions>]]>
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
回應同步:
<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>102</CmdRef><Cmd>Add</Cmd><Data>200</Data></Status>
用於設定應用程式政策的 URI 格式
以下範例說明如何衍生 Win32 或傳統型橋接器應用程式的政策名稱及政策區域名稱:
<categories>
<category name="ParentCategoryArea"/>
<category name="Category1">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category2">
<parentCategory ref="ParentCategoryArea" />
</category>
<category name="Category3">
<parentCategory ref="Category2" />
</category>
</categories>
<policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun">
<parentCategory ref="Category3" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
如Policy CSP所述,透過Policy CSP配置政策的URI格式為: ./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}。
使用者或裝置政策:
在政策類別中,屬性定義為「User」,URI 前綴為 ./user。
若屬性值為「Machine」,則 URI 前綴 ./device為 。
若屬性值為「兩者皆為」,則可設定為使用者或裝置政策。
policy的{AreaName}格式為{AppName}~{SettingType}~{CategoryPathFromAdmx}。
{AppName} 和 {SettingType} 是從用來匯入 ADMX 檔案的 URI 衍生而來。 在此範例中,URI 為: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01。
{CategoryPathFromAdmx} 是透過遍歷 parentCategory 參數而得出。 在此範例中,{CategoryPathFromAdmx} 是 ParentCategoryArea~Category2~Category3。 因此,{AreaName} 是 ContosoCompanyApp~ 政策~ParentCategoryArea~Category2~Category3。
因此,根據範例:
- 班:
User - 保單名稱:
L_PolicyPreventRun_1 - 政策領域名稱:
ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 - URI:
./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1
ADMX 支持的應用程式政策範例
以下範例說明如何設定 ADMX 匯入的應用程式政策。
啟用應用程式政策
有效載荷:
<enabled/>
<data id="L_ServerAddressInternal_VALUE" value="TextValue1"/>
<data id="L_ServerAddressExternal_VALUE" value="TextValue2"/>
請求 Syncml:
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>103</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
</Target>
<Data><![CDATA[<enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/>]]></Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
回應同步學習:
<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>103</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status>
停用應用程式政策
有效載荷:
<disabled/>
請求 SyncML:
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Replace>
<CmdID>104</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
</Target>
<Data><![CDATA[<disabled/>]]></Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
回應同步學習:
<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>104</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status>
將應用程式政策設定為未設定
有效載荷:
(無)
請求 SyncML:
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
<Delete>
<CmdID>105</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
回應同步學習:
<Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>105</CmdRef><Cmd>Delete</Cmd><Data>200</Data></Status>