This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHV%3C/text%3E%3C/svg%3E)
Hello Everyone,
I am struggling with ADMX-based Policies. I read the article "Understanding ADMX-backed policies" several times, but some points are still not clear to me.
Question One: Does the Policy CSP has any Policies that are not ADMX-backed?
Question Two: In the Policy CSP-Documenation there is a drop-down Filter for Policies "supported by Group Policy" and "Admx-backed policies". But
some of the first category like Autoplay/TurnOffautoPlay" are in both. I couldn´t find any documentation stating the difference. Can anybody clarify this for me?
Question Three: The "Understanding"-Article states that the Policy CSP is processing the ADMX-Files at OS-build time. Does this mean "Build-Time" as in Compiling the code or installing the OS? And if it means "installing the OS", why are only the Policies documented in the Policy CSP available for Configuration and not all ADMX-based Group Policies avaliable on the Client?
Question Four: Where is the Policy CSP located? Is it implemented in WMI, or are these only the WMI-Bridge-Functions?
Thank you for the Clarification,
Holger
Hi Chrystal,
thank you for your answer. Some further comments and questions to you answers:
Q1: Was as silly question. Thank you for the clarfication.
Q2: Yes, that´s what I would have thought. But there are policies (e.g. ActiveXControls/ApprovedInstallationSites) that are listed when I use the "supported by" Filter that state in their documentation "This is an ADMX-backed policy". Can a policy be ADMX-backed and supported by group policy? That makes no sense to me.
A3: For the OS built time, based on my understanding, it is the time we install the OS. When Product team deploy a policy, it needs a lot of testings which needs time. I think more and more policies will be published in the future.
That was my interpretation on first sight, too. But it doesn´t really make sense, because then it should be possible to reference every admx-based policy, right? Thats what was confusing me. I think the team meant the settings are automatically enumerated at OS-Compile time and that´s why they are even able to make a consitent documentation of the Policy CSP. If the settings are all the same anyway (as they must be, elsewise they couldn´t be documented), why should you enumerate them at installation time? Makes no sense to me.
A4: The client receives the configuration settings via the SyncML document data push and the transferred OMA-URI maps to the corresponding CSP. The targeted CSPs are responsible for configuring the settings. Research and find a link describe this. We can read it as a reference.
https://oliverkieselbach.com/2019/07/18/intune-policy-processing-on-windows-10-explained/
Note: Non-Microsoft link, just for the reference.
Thank you for the link, but I read Olivers whole blog at least 3 times and it doesn´t clarify my question, which is: Where is the CSP located? There must be some kind of client-Software like the Group Policy Client. I found a couple of WMI-Methods but don´t know if they are just part of the WMI-Bridge or if they are somehow involved in the CSP-Processing. There must be some kind of Client - either the CSP itself is one, or the CSPs are called the same way Group Policy Extensions are.
Thank you very much,
Holger
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Holger Voges , For question 3, I have some misunderstanding before. Your understanding can be correct. The admx files at OS build time can be understanding as when an OS version is developed or at OS-Compile time, the admx is included in the OS.
For CSP, it is an interface to read, set, modify, or delete configuration settings on the device. So I think this is not something like client software.
https://video2.skills-academy.com/en-us/windows/client-management/mdm/configuration-service-provider-reference
Hi Chrystal,
thanks again. You might be right, but I cannot imagine the CSPs are part of the OS, especially as the are organized in different CSPs and not as one monolithic Software. I would hope that Microsoft clarifies some of these things. There are so many documentation holes, and nobody seems to know the answer. The hole implemenation is like a black box. I hoped someone here would know the answer. Will have to dig a little bit deeper into the WMI-Stuff, I have the impression it´s similar to DSC where the hole moving parts are integrated through WMI-Methods.
Cheers,
Holger
@Holger Voges , For your questions, here iare my answers for the reference:
Q1: Does the Policy CSP has any Policies that are not ADMX-backed?
A1: Yes, In fact, the Policy configuration service provider enables the enterprise to configure policies on Windows 10. There are some Policy CSP like Accounts, Power, security and etc that are not ADMX-backed. We can see more details in the following link:
https://video2.skills-academy.com/en-us/windows/client-management/mdm/policy-configuration-service-provider
Q2: In the Policy CSP-Documenation there is a drop-down Filter for Policies "supported by Group Policy" and "Admx-backed policies". But some of the first category like Autoplay/TurnOffautoPlay" are in both. I couldn´t find any documentation stating the difference. Can anybody clarify this for me?
A2: An ADMX file can either be shipped with Windows (located at %SystemRoot%\policydefinitions) or it can be ingested to a device through the Policy CSP URI (./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall).
For the "Policies in Policy CSP supported by Group Policy", it lists which policies in Policy CSP are supported by Group Policy. which means we can configure in Group policy on windows device.
For the "ADMX-backed policies in Policy CSP", it lists the policys we can deploy via syncml or Policy CSP URI.
For the two lists, they are used in different scenario. One is managed by Group Policy and the other is managed by MDM.
We can see more details in the following link:
https://video2.skills-academy.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies
Q3: The "Understanding"-Article states that the Policy CSP is processing the ADMX-Files at OS-build time. Does this mean "Build-Time" as in Compiling the code or installing the OS? And if it means "installing the OS", why are only the Policies documented in the Policy CSP available for Configuration and not all ADMX-based Group Policies avaliable on the Client?
A3: For the OS built time, itc can be understood as when an OS version is developed or at OS-Compile time, the admx is included in the OS.
Q4: Where is the Policy CSP located? Is it implemented in WMI, or are these only the WMI-Bridge-Functions?
A4: The client receives the configuration settings via the SyncML document data push and the transferred OMA-URI maps to the corresponding CSP. The targeted CSPs are responsible for configuring the settings. Research and find a link describe this. We can read it as a reference.
https://oliverkieselbach.com/2019/07/18/intune-policy-processing-on-windows-10-explained/
Note: Non-Microsoft link, just for the reference.
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
then it should be possible to reference every admx-based policy,
No, not today. Built-in ADMXs must be added to an internal allow-list to be referenced and used by the Policy CSP. Prior to 1703, I don't think there actually were any that were allowed. In 20H2 we've added many additional to the allow list and a second wave is set for next year that will add the remaining built-in ADMXs to the allow list.
For Q4. The core implementation of CSPs is not a technical detail that is publicly documented and is meant to be opaque. It is most definitely part of the OS itself though. It is completely unrelated to WMI although you can use the WMI bridge as a local API layer.
For Q2. The difference is as alluded to for Q3. Basically, The initial direction for MDM management in Windows was to provide a very limited set of policies and there was no direct way to leverage ADMXs. However, some of the settings within the built-in ADMXs were included in that limited set of policies to be included so we needed a native, MDM way to configure these ADMX equivalent settings without using the ADMXs.
Hi Jason,
thank you for your answer. I really appreciate it. Does that mean that ADMX-Processing is indeed taking place during OS-Installation level? And do you have any idea why there are admx-backed Policys shown when I use the "supported by Group Policies"-Filter in the Policy CSP Documentation? Is the documentation wrong here or did I still get something wrong?
Thank you so much for your clarification,
Holger
Does that mean that ADMX-Processing is indeed taking place during OS-Installation level?
For built-in policies, no, this happens at build/compile time as noted by @Crystal-MSFT .
As for the overlap, I didn't see any, but if there are any, no I don't know specifically why although my guess is that we didn't initially implement every setting possible and so later added the ADMX. Not sure if that even makes sense though as this is just a guess.
Thank you, this has helped me very much. I am currently updating my Group Policy book with a comparison to intune and you were extremely helpful.