none
1803 Windows app privacy permissions via Group Policy

    Question

  • Hello, 

    We are using the GPO settings under Administrative Templates > Windows Components > App Privacy to control access of Windows store apps use of various system resources such as the Microphone (Policy Name: "Let Windows apps access the microphone"). 

    Since the 1803 update, if we enable a policy to control the camera or microphone it impacts all other (non-store) applications installed to the system, such as Skype for Business. This behavior is different to 1709 which allows control of the store apps (even on an individual basis), but leaves the other non-store applications without restriction.

    How can we configure this setting without impacting non-store applications installed to each system? 

    Steps to recreate the issue (assuming a built in mic to the system):

    1. Update to 1803
    2. Configure the Administrative Templates > Windows Components > App Privacy > Let Windows apps access the microphone policy and set to Enabled with Force Deny as the default. 
    3. Open the Sound settings control panel. You will see no levels.
    4. Open a non-store application and test (e.g. Skype for Business). 

    Thanks in advance for your help.

    Monday, May 14, 2018 2:28 PM

All replies

  • Hi,

     

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 15, 2018 1:46 PM
  • Hi,

    The following worked for me (for the camera only) :

    1. Update your *.admx files according to your Windows version (1803)
      https://www.microsoft.com/en-US/download/details.aspx?id=56880
    2. Go under Administrative Templates > Windows Components > Camera and set Allow the use of camera to Enabled

    You should now be able to use camera on softwares.
    I am searching for the policy to activate the mic for the moment but I still can't find it...

    Alexandre


    Wednesday, May 16, 2018 9:28 AM
  • Many thanks for this suggestion, Alexandre. Unfortunately in my test enabling the camera with the Windows Components > Camera setting didn't work to enable the camera when the Windows Components > App Privacy > Let Windows apps access the microphone setting is also configured with Force Deny.

    When the App Privacy policy is configured the settings page shows as the screenshot below. I would expect the "Allow apps to access your camera" to be unavailable/greyed out, but not the setting "Allow access to the camera on this device"  (which in my testing affects all applications, not just store apps).

    

     
    Wednesday, May 16, 2018 1:17 PM
  • I'm finaly having the same issue on my side, my bad...
    I think both settings are not compatible at the moment.

    I'll, for the moment, allow camera/micro access for the whole system to let softwares access them, and block the access app per app.

    • Camera access for the device will be turned on
    • Allow apps to access your camera will aso be turned on
    • But every apps will be turned off without possibily to the user to change these tick boxes.
    Wednesday, May 16, 2018 2:27 PM
  • Here you can see the result for me on my camera setting.

    Both boxes are displayed grey, camera is activated on my device, also for application.
    As you can see I just deactivated app per app on the gpo parameters to force the camera deactivation.
    Apps cannot be activated back by the user, of course.

    Wednesday, May 16, 2018 3:20 PM
  • Hi William,

    Any progress with the research here? I'm fairly certain that the change in behavior for these App privacy settings in 1803 is not intended to impact Win32 applications. 

    Thanks

    Wednesday, June 6, 2018 7:49 PM
  • Having the same issue.

    Also did not expect the 'app privacy' section to impact regular desktop applications.

    This can't be intended behaviour.


    If you don't stand for something. You will fall for anything.

    Thursday, June 14, 2018 12:28 PM
  • Having the same issue.

    Also did not expect the 'app privacy' section to impact regular desktop applications.

    This can't be intended behaviour.


    If you don't stand for something. You will fall for anything.

    Actually it looks it is.  If you look in the descriptions on the privacy settings, the wording has changed since 1709.  Let's take location as an example:

    "If the location service is on, Windows, apps, and services can use your location...."

    Seems to cover all the bases there.  Also notice how it's no longer "app privacy" (although the GPO settings are under that title) but is now just labelled as "privacy" in the settings app.


    • Edited by _cSand Tuesday, June 26, 2018 8:27 PM
    Tuesday, June 26, 2018 8:17 PM
  • I have a similar issue, 

    Can we change the defaults to get the microphone and camera working.

    Tuesday, July 31, 2018 12:42 PM
  • Any news? I am having the same issue. Skype for Business does not have access to camera and microphone anymore on 1803.

    This doesn't seem right, since the GPO is "App" Settings, but Skype for Business Desktop application is also influenced.

    Will there be a KB, or do we need to change the app settings to make the desktop applications work again?

    Thanks,

    Oliver



    Monday, August 13, 2018 8:33 AM
  • We got the same issue when upgrading to 1803 and we are looking for a solution to solve this issue with a GPO.

    I would appreciate if Microsoft take position to this behavior and how I could solve it.

    Thursday, August 23, 2018 5:16 AM
  • After updating windows to 1803, microphone will be disable automatically, we can solve it through GPO. Sometimes it may not work in some client computers, in this situation we can edit in registry of client machine. Steps are mentioned below:

    Let apps use my microphone

    Group Policy

    This policy setting specifies whether Windows apps can access the microphone.

    You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.

            • Open the Group Policy Editor
            • Go to Computer Configuration > Administrative Templates > Windows Components > App Privacy
            • Select Let windows apps access the microphone
            • Set the policy to enabled.
            • In the “default for all apps” box, set one of the following values:
            • User is in control means that users may change the privacy setting using the Settings application.
            • Force allow means that apps may access the microphone, and that users cannot change it.
            • Force deny means that apps may not access the microphone, and that users cannot change this.

    Windows Registry

    1. Open the Registry Editor
    2. Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
    3. Right-click on AppPrivacy, and select New > Dword (32-bit) Value.
    4. Name it LetAppsAccessMicrophone.
    5. Set it to one of the following values:
        1. A value of 0 means that users are in control.
        2. A value of 1 means force allow.
        3. A value of 2 means force deny.

    Thursday, August 23, 2018 6:33 AM
  • This didnt solve it for us.

    There are now two options in 1803, "Allow access to the microphone on this device" and "Allow Apps to access your microphone". The latter appears to be the same as "let apps access your microphone".

    The major problem with the GPO option mentioned above is that it is effectively a Force on or Force off option for ALL apps (Modern and legacy). Setting the option to let user decide effectively does nothing except allow you to specify specific MODERN APPS to be force allow\deny (if im wrong, the GPO option needs to specify wildcard options or legacy app options much better). This does nothing to help all the other apps that use the microphone (ie anything classed as Win32\legacy apps like browsers, O365 skype etc) and still let user decide. While not mentioned anywhere, this option also appears to apply to all LEGACY apps in the background and cannot be configured.

    Therefore the only option if you truly want user to decide, but keep the option for legacy apps on (important when you use skype for voice comms) is to set the HKCU Regkey that sets the second option to enabled, but let user decide what MODERN apps it applies to (which is what you would assume the Let user Decide option in GPO would do). 

    Regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone

    When configured, Reg_SZ "Value" is set to Allow or Deny

    More info at: https://www.tenforums.com/tutorials/102647-allow-deny-os-apps-access-microphone-windows-10-a.html


    • Edited by Revengers Friday, August 31, 2018 2:25 AM Formatting
    • Proposed as answer by Revengers Friday, August 31, 2018 6:49 AM
    Friday, August 31, 2018 2:25 AM