So now we move on from the previous post and construct some of the policy syntax to the ADM template by extracting the information from the ADMX/ADML templates.
Simple Policy Syntax
In the ADMX template, at the end of the ‘Categories’ (signified by </category>) you will see the beginning of the Policies section. Using the Device Installation ADMX/ADML files as a basis you will find the First policy is as shown here:-
<policy name="DeviceInstall_AllSigningEqual" class="Machine" displayName="$(string.DeviceInstall_AllSigningEqual)" explainText="$(string.DeviceInstall_AllSigningEqual_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\
Settings" valueName="AllSigningEqual">
<parentCategory ref="DeviceInstall_Category" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
So we can see that as mentioned on the previous post the policy class is stated on a per-policy basis. The display name and the explain text sections work in much the same way as with the categories, they are linked to strings in the ADML template file shown here:-
<string id="DeviceInstall_AllSigningEqual">Treat drivers signed by Microsoft the same as those signed by others</string>
<string id="DeviceInstall_AllSigningEqual_Help">When selecting which driver to install, do not distinguish between drivers that are signed by Microsoft and drivers that are signed by others.
If you enable this setting, drivers will be selected for installation based on other criteria (such as version number or when the driver was created) rather than whether the driver was signed by Microsoft or by another vendor. A signed driver will still be preferred over a driver that is not signed at all. However, drivers that are signed by Microsoft will not be preferred over other drivers.
If you disable or do not configure this setting, drivers that are signed by Microsoft will be selected for installation over drivers that are signed by other vendors.</string>
The ADMX snippet also shows that the registry keys and associated value along with what to set the registry key to if you enable or disable the policy. In this case the value AllSigningEqual would be set to a DWORD with a decimal value of 1 when enabled.
Extracting this information out and constructing the section of the ADM template would give you this:-
POLICY !!DeviceInstall_AllSigningEqual
KEYNAME "Software\Policies\Microsoft\Windows\DeviceInstall\
Settings"
EXPLAIN !!DeviceInstall_AllSigningEqual_HELP
VALUENAME "AllSigningEqual"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
And in the strings section:-
DeviceInstall_AllSigningEqual=" Treat drivers signed by Microsoft the same as those signed by others "
DeviceInstall_AllSigningEqual_HELP=" When selecting which driver to install, do not distinguish between drivers that are signed by Microsoft and drivers that are signed by others./n/nIf you enable this setting, drivers will be selected for installation based on other criteria (such as version number or when the driver was created) rather than whether the driver was signed by Microsoft or by another vendor. A signed driver will still be preferred over a driver that is not signed at all. However, drivers that are signed by Microsoft will not be preferred over other drivers./n/nIf you disable or do not configure this setting, drivers that are signed by Microsoft will be selected for installation over drivers that are signed by other vendors."
Listbox Syntax
This becomes a little more interesting when you encounter policies with multiple ‘Parts’ (to use ADM Syntax), these have now become ‘Elements’. Whilst all the information is in the ADMX and ADML templates to construct them, it is a pain to get the information together, when you find the info however it is pretty intuitive to construct the policy syntax if you are used to constructing/amending adm templates.
Here is an example of a listbox from this ADMX/ADML template set:-
From the ADMX template:-
<policy name="DeviceInstall_Classes_Deny" class="Machine" displayName="$(string.DeviceInstall_Classes_Deny)" explainText="$(string.DeviceInstall_Classes_Deny_Help)" presentation="$(presentation.DeviceInstall_Classes_Deny)" key="Software\Policies\Microsoft\Windows\DeviceInstall\
Restrictions" valueName="DenyDeviceClasses">
<parentCategory ref="DeviceInstall_Restrictions_Category" />
<supportedOn ref="windows:SUPPORTED_WindowsVista" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
<elements>
<list id="DeviceInstall_Classes_Deny_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\
Restrictions\DenyDeviceClasses" valuePrefix="" />
</elements>
</policy>
From the ADML:-
<string id="DeviceInstall_Classes_Deny">Prevent installation of drivers matching these device setup classes</string>
<string id="DeviceInstall_Classes_Deny_Help">Specifies a list of Plug and Play device setup class GUIDs for devices that cannot be installed.
If you enable this setting, new devices cannot be installed and existing devices cannot be updated if they use drivers that belong to any of the listed device setup classes.
If you disable or do not configure this setting, new devices can be installed and existing devices can be updated as permitted by other policy settings for device installation.
NOTE: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device.</string>
Also from the ADML:-
<presentation id="DeviceInstall_Classes_Deny">
<listBox refId="DeviceInstall_Classes_Deny_List">Prevent installation of devices using drivers for these device setup classes:</listBox>
<text>To create a list of device classes, click Show, click Add,</text>
<text>and specify a GUID that represents a device setup class</text>
<text>(for example, {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}).</text>
</presentation>
The equivalent sections in an ADM would be constructed as follows:-
POLICY !!DeviceInstall_IDs_Deny
KEYNAME "Software\Policies\Microsoft\Windows\DeviceInstall\
Restrictions"
EXPLAIN !!DeviceInstall_IDs_Deny_HELP
VALUENAME "DenyDeviceIDs"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
PART !!DeviceInstall_IDs_Deny_LIST LISTBOX
KEYNAME "Software\Policies\Microsoft\Windows\DeviceInstall
\Restrictions\DenyDeviceIDs"
VALUEPREFIX ""
END PART
PART !!DeviceInstall_IDs_Deny_TEXT1 TEXT
END PART
PART !!DeviceInstall_IDs_Deny_TEXT2 TEXT
END PART
PART !!DeviceInstall_IDs_Deny_TEXT3 TEXT
END PART
END POLICY
And in the strings section:-
DeviceInstall_Classes_Deny="Prevent installation of drivers matching these device setup classes"
DeviceInstall_Classes_Deny_HELP="Specifies a list of Plug and Play device setup class GUIDs for devices that cannot be installed.\n\nIf you enable this setting, new devices cannot be installed and existing devices cannot be updated if they use drivers that belong to any of the listed device setup classes.\n\nIf you disable or do not configure this setting, new devices can be installed and existing devices can be updated as permitted by other policy settings for device installation.\n\nNOTE: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device."
The second section taken from the ADML template is taken from the Presentation table towards the bottom of the template following the strings table.
The rest, I think is pretty intuitive and the other ADM syntaxes are equally straightforward to construct.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment