Machine Options

Here is a list of options impacting Device Control.

These may be used in the JSON policy sections for Options.

Option

Id

Default

Values

Certificate Generation

48

0

0:Automatic,

1:Disabled

Client Hardening

58

0

0:Disabled,

1:Basic,

2:Extended

Connectivity State Definition

60

0

0:Server connectivity,
1:Wired connectivity,
2:Controlled by API

Device Eventlog

83

0

0: Disabled,

1:Enabled

Device Log

49

0

0:Disabled,

1:Enabled

Encryption Clear Unused Space

70

0

0:Disabled,

1:Enabled

Encryption Grace Period

71

0

In hours

Encryption Notification

75

 

Message displayed to the user to notify them they could encrypt a removable in order to gain access to it

Encryption Retain Data

74

0

0:Unselected,

1:Forced unselected,

2:Selected,

3:Forced selected

Endpoint Status

25

1

0:Do not Show,
1:Show All,
2:Show All without Shadow,
3:Show Allowed,
4:Show Allowed without Shadow,
5:Show Configured,
6:Show Configured without Shadow

Hash Algorithm Selection

88

0

0: SHA-1,
1: SHA-256

Installation Mode

79

0

0:Standalone,
1:LEMSS integration

Key Logger Exclusions

77

  

list of key logger false positives, specified by hardware id separated by ,

Microsoft CA Key Provider

76

0

0:Disabled,
1:Enabled (Decentralized),
2:Enabled

Offline Public Key

62

 

TBD (serialized EC public key)

Override Optical Disc Shadowing

66

0

0:Deny access,
1:Offer filename shadow to switch to no shadow and grant access,
2:Offer full shadow to switch to no shadow and grant access,
3:Offer filename shadow or full shadow to switch to no shadow and grant access,
4:Offer filename shadow to switch to full shadow and grant access

Password Complexity

45

0

0:Enforced,
1:Relaxed

Password Minimum Length

68

6

Valid values are from 6 to 99

Portable Encryption Capacity

78

128

Defined maximum size for portable encryption using FAT32, from 128 to 2048 GB.

Rule Priorities

81

0

0:Media policies prevails,
1:Device policies prevails

Shadow Directory

24

 

When not defined, \SystemRoot\SxData\shadow is used.

Shadow File Maximum Size

94

0

Limits the maximum size of files shadowed to the server. Files over this size have only their names shadowed. A value of 0 disables this behavior.

SysLog server Address

67

 

SysLog address, either using name or IPv4

Update Notification

26

2

0:No messages,

1:Temporary device permission changes,

2:All device permission changes

USB Key Logger

55

0

0:Disabled,

1:Notify user,

2:Log event,

3:Notify user and log event,

4:Block keyboard and notify user,

5:Block keyboard and log event,

6:Block, notify and log event,

7:Exclusive mode (Lock/block, notify and log event)

User Certificate Template Name

65

User

Specifies the template name when requesting a new user certificate from the Certificate Authority.

Data Loss Prevention Filter

93

 

Specifies a filter that is used while performing a data loss prevention check on files. The filter is a string that meets AQS format, introduced by Microsoft to search files. Any operation on a file that matches the given filter is blocked by Device Control.