Custom policy configurations for Windows 10 and 11
Windows Configuration Service Provider (CSP) enables IT admins to configure multiple custom policies for Windows 10 and 11 devices. These CSP-based policies use Open Mobile Alliance - Uniform Resource Identifiers (OMA-URIs), which are paths to the specific settings in Windows. With GoTo Resolve MDM, you can build the OMA-URI in a configuration profile and add a new custom policy easily for your managed Windows device.
GoTo Resolve MDM supports Policy CSPs, excluding policies starting with ADMX_. It is also important to note that there is variation in the supported policies between different Windows versions. The features of the Windows 10 and 11 editions differ from each other, and new policies come along with new version releases. You can find the information and requirements of each policy from Microsoft policy CSP documentation.
If both an MDM-based CSP policy and its equivalent Group Policy (GP) are set on a device, the group policy wins over the CSP policy by default. However, IT administrators can use the ControlPolicyConflicts policy to ensure that the MDM-based CSP policy wins over the GP if there is a conflict.
Create a custom policy configuration
- Start creating a new configuration from the Configuration profiles page on GoTo Resolve MDM. Select Add, choose the platform, and then Custom policy.
- Define the type of configuration in the Policy CSP (build the OMA-URI).
- Choose the Area name from the drop-down menu. All available policies to configure with GoTo Resolve MDM are included in the dropdown menu.
- Check the policies and requirements from Microsoft's documentation. When you have chosen the Area name, the link takes you to the selected area in the documentation to find and copy the correct Policy name.
- Define the Policy settings by entering the value and select Add. You can add multiple name/value pairs of the policy area in one custom policy.
- The Microsoft Policy CSP documentation provides information about the supported values.
Create a custom ADMX-backed policy configuration
- Each Windows device has a folder including a bunch of ADMX files (C:\\Windows\PolicyDefinitions). GP ADMX file name tells you the correct file for searching the input for the value field.
- The GP name shows the policy name you need to look for from the file, in this case, DCHibernateTimeOut_2. Inside the <elements> tag, you can find the configurable values. There can be several values, but for this example, there is only one:
<elements> <decimal id="EnterDCHibernateTimeOut" valueName="DCSettingIndex" required="true" maxValue="4294967295" /> </elements>
- The value to enter to the custom configuration is <enabled /><data id=“EnterDCHibernateTimeOut” value=“TimeInSeconds”></data>.
- You can find more information about ADMX-backed policies and how to create the required XML value from Microsoft's documentation.
Create a policy that defines the inactivity period before Windows transitions to hibernate in the device on a battery.
Results: When you have created the policy, you may deploy it to managed devices as any other configuration profile in GoTo Resolve MDM. Read the article on how to prevent unenrollment of the MDM profile on Windows 10 and 11, in case you like to see more examples about the configuration.
Update the policy configuration
The layout of the screen may look different in the product.
Custom CSP example
- Area Name: Storage
- Policy name: RemovableDiskDenyWriteAccess
- Value: 1
Different policy types
- We don't currently support any other than Policy CSP
- We don't support policies starting with "ADMX_"
- There are ADMX backed -policies, that is different from policies starting with ADMX_. For further information please see the Understanding ADMX policies article by Microsoft.
- There are policies that are really simple to use as the values are just simple numbers or such
Remove custom configuration policies
Be extra careful when you remove custom configuration policies.