If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. -- 1 – Allowed. Add up to five more search engines and set any one of them as the default.
For each search engine added, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar +``` + -Most restricted value: 0 - - + + +The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. -
When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy. + +**Allowed values**: -Most restricted value: 0 - - +| Value | Description | +|:--|:--| +| 0 (Default) | Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy. | +| 1 | Unlocked. Users can make changes to all configured start pages. | + -
For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | EnterpriseModeSiteList | +| Friendly Name | Configure the Enterprise Mode Site List | +| Element Name | Type the location (URL) of your Enterprise Mode IE website list | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode | +| ADMX File Name | MicrosoftEdge.admx | + - - + + + -
\ _Microsoft.OneNoteWebClipper8wekyb3d8bbwe_ After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list doesn't uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy doesn't prevent users from debugging and altering the logic on an extension.
-
-
-
-
-
-
-
-
-
-
- Specify the URL as: Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser. A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it isn't yet running, or in a new tab. Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add. If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**. If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**.
-
-Most restricted value: 1
-
-
-
- Enter a URL in string format, for example, https://www.msn.com.
-
-
-
-
-
-
-
-
-
-
- Enter a URL in string format, for example, https://www.msn.com.
-
-
-
-
-
-
-
-
-
-
-
-
-**Browser/LockdownFavorites**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
->*Supported versions: Microsoft Edge on Windows 10, version 1709*
-
-[!INCLUDE [prevent-changes-to-favorites-shortdesc](../includes/prevent-changes-to-favorites-shortdesc.md)]
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Prevent changes to Favorites on Microsoft Edge*
-- GP name: *LockdownFavorites*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) - Allowed/not locked down. Users can add, import, and make changes to the favorites.
-- 1 - Prevented/locked down.
-
-Most restricted value: 1
-
-
-
-
-
-
-**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../includes/prevent-access-to-about-flags-page-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Prevent access to the about:flags page in Microsoft Edge*
-- GP name: *PreventAccessToAboutFlagsInMicrosoftEdge*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) – Allowed.
-- 1 – Prevents users from accessing the about:flags page.
-
-Most restricted value: 1
-
-
-
-
-
-
-**Browser/PreventCertErrorOverrides**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../includes/prevent-certificate-error-overrides-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Prevent certificate error overrides*
-- GP name: *PreventCertErrorOverrides*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) - Allowed/turned on. Override the security warning to sites that have SSL errors.
-- 1 - Prevented/turned on.
-
-Most restricted value: 1
-
-
-
-
-
-
-
-
-
-
-
-
-**Browser/PreventFirstRunPage**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
->*Supported versions: Microsoft Edge on Windows 10, version 1703*
-
-[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../includes/prevent-first-run-webpage-from-opening-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Prevent the First Run webpage from opening on Microsoft Edge*
-- GP name: *PreventFirstRunPage*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) – Allowed. Load the First Run webpage.
-- 1 – Prevented/not allowed.
-
-Most restricted value: 1
-
-
-
-
-
-
-**Browser/PreventLiveTileDataCollection**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
-
-[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start*
-- GP name: *PreventLiveTileDataCollection*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) – Collect and send Live Tile metadata.
-- 1 – No data collected.
-
-Most restricted value: 1
-
-
-
-
-
-
-**Browser/PreventSmartScreenPromptOverride**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Prevent bypassing Windows Defender SmartScreen prompts for sites*
-- GP name: *PreventSmartScreenPromptOverride*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to the site.
-- 1 – Prevented/turned on.
-
-Most restricted value: 1
-
-
-
-
-
-
-**Browser/PreventSmartScreenPromptOverrideForFiles**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Prevent bypassing Windows Defender SmartScreen prompts for files*
-- GP name: *PreventSmartScreenPromptOverrideForFiles*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s).
-- 1 – Prevented/turned on.
-
-Most restricted value: 1
-
-
-
-
-
-
-**Browser/PreventTurningOffRequiredExtensions**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../includes/prevent-turning-off-required-extensions-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Prevent turning off required extensions*
-- GP name: *PreventTurningOffRequiredExtensions*
-- GP element: *PreventTurningOffRequiredExtensions_Prompt*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- Blank (default) - Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored.
-
-- String - Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper extension prevents users from turning it off:
-
-
-**Browser/PreventUsingLocalHostIPAddressForWebRTC**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Prevent using Localhost IP address for WebRTC*
-- GP name: *HideLocalHostIPAddress*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) – Allowed. Show localhost IP addresses.
-- 1 – Prevented/not allowed.
-
-Most restricted value: 1
-
-
-
-
-
-
-**Browser/ProvisionFavorites**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
-
-[!INCLUDE [provision-favorites-shortdesc](../includes/provision-favorites-shortdesc.md)]
-
-
+> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
+- If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ConfiguredFavorites |
+| Friendly Name | Provision Favorites |
+| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.
URL can be specified as
1. HTTP location: https://localhost:8080/URLs.html
2. Local network: \\network\shares\URLs.html
3. Local file: file:///c:\\Users\\`
-
-
->[!IMPORTANT]
->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
-
-
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Provision Favorites*
-- GP name: *ConfiguredFavorites*
-- GP element: *ConfiguredFavoritesPrompt*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-
-
-
-
-**Browser/SendIntranetTraffictoInternetExplorer**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Send all intranet sites to Internet Explorer 11*
-- GP name: *SendIntranetTraffictoInternetExplorer*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically.
-- 1 - Only intranet sites open in Internet Explorer 11 automatically.
-
-Most restricted value: 0
-
-
-
-
-
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.
-
-
-**Browser/SetDefaultSearchEngine**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
->*Supported versions: Microsoft Edge on Windows 10, version 1703*
-
-[!INCLUDE [set-default-search-engine-shortdesc](../includes/set-default-search-engine-shortdesc.md)]
-
-> [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy).
-
-
-Most restricted value: 0
-
-
-
-ADMX Info:
-- GP Friendly name: *Set default search engine*
-- GP name: *SetDefaultSearchEngine*
-- GP element: *SetDefaultSearchEngine_Prompt*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](#browser-allowsearchenginecustomization) policy, users can't make changes.
-- 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market.
-- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users can't change the default search engine.
-
-
-**Browser/SetHomeButtonURL**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-[!INCLUDE [set-home-button-url-shortdesc](../includes/set-home-button-url-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Set Home Button URL*
-- GP name: *SetHomeButtonURL*
-- GP element: *SetHomeButtonURLPrompt*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- Blank (default) - Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads.
-- String - Load a custom URL for the home button. You must also enable the Configure Home Button policy and select the _Show home button & set a specific page_ option.
-
-
-**Browser/SetNewTabPageURL**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-
-[!INCLUDE [set-new-tab-url-shortdesc](../includes/set-new-tab-url-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Set New Tab page URL*
-- GP name: *SetNewTabPageURL*
-- GP element: *SetNewTabPageURLPrompt*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- Blank (default) - Load the default New tab page.
-- String - Prevent users from changing the New tab page.
-
-
-**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../includes/show-message-when-opening-sites-in-ie-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Show message when opening sites in Internet Explorer*
-- GP name: *ShowMessageWhenOpeningSitesInInternetExplorer*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) – No other message displays.
-- 1 – Show another message stating that a site has opened in IE11.
-- 2 - Show another message with a "Keep going in Microsoft Edge" link.
-
-Most restricted value: 0
-
-
-
-
-
-
-**Browser/SuppressEdgeDeprecationNotification**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
-This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after March 9, 2021, to avoid confusion for their enterprise users and reduce help desk calls.
-By default, a notification will be presented to the user informing them of this update upon application startup.
-With this policy, you can either allow (default) or suppress this notification.
-
-
-
-ADMX Info:
-- GP Friendly name: *Suppress Edge Deprecation Notification*
-- GP name: *SuppressEdgeDeprecationNotification*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) – Allowed. Notification will be shown at application startup.
-- 1 – Prevented/not allowed.
-
-
-
-Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
-
-
-[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
-
-
-
-ADMX Info:
-- GP Friendly name: *Keep favorites in sync between Internet Explorer and Microsoft Edge*
-- GP name: *SyncFavoritesBetweenIEAndMicrosoftEdge*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
-
-
-
-Supported values:
-
-- 0 (default) – Turned off/not syncing
-- 1 – Turned on/syncing
-
-
-
+
+
+
+
+
+## SendIntranetTraffictoInternetExplorer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
+```
+
+
+
+
+This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.
+
+- If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.
+
+- If you disable or don't configure this setting, all intranet sites are automatically opened using Microsoft Edge.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | All sites, including intranet sites, open in Microsoft Edge automatically. |
+| 1 | Only intranet sites open in Internet Explorer 11 automatically. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SendIntranetTraffictoInternetExplorer |
+| Friendly Name | Send all intranet sites to Internet Explorer 11 |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Microsoft Edge |
+| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main |
+| Registry Value Name | SendIntranetTraffictoInternetExplorer |
+| ADMX File Name | MicrosoftEdge.admx |
+
+
+
+
+
+
+
+
+
+## SetDefaultSearchEngine
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine
+```
+
+
+
+
+Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees.
+- If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetDefaultSearchEngine |
+| Friendly Name | Set default search engine |
+| Element Name | Use this format to specify the link you wish to add: `<
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
+```
+
+
+
+
+The home button can be configured to load a custom URL when your user clicks the home button. If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. Default setting: Blank or not configured Related policy: Configure Home Button
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetHomeButtonURL |
+| Friendly Name | Set Home Button URL |
+| Element Name | Enter a URL in string format. For example:
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
+```
+
+
+
+
+You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. If enabled, you can set the default New Tab page URL. If disabled or not configured, the default Microsoft Edge new tab page is used. Default setting: Disabled or not configured Related policy: Allow web content on New Tab page
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetNewTabPageURL |
+| Friendly Name | Set New Tab page URL |
+| Element Name | Enter a URL in string format. For example:
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer
+```
+
+
+
+
+You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both.
+
+If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options.
+
+If disabled or not configured, the default app behavior occurs and no additional page displays.
+
+Default setting: Disabled or not configured
+Related policies:
+-Configure the Enterprise Mode Site List
+-Send all intranet sites to Internet Explorer 11
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | No additional message displays. |
+| 1 | Show an additional message stating that a site has opened in IE11. |
+| 2 | Show an additional message with a "Keep going in Microsoft Edge" link. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ShowMessageWhenOpeningSitesInInternetExplorer |
+| Friendly Name | Show message when opening sites in Internet Explorer |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Microsoft Edge |
+| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main |
+| Registry Value Name | ShowMessageWhenOpeningSitesInInternetExplorer |
+| ADMX File Name | MicrosoftEdge.admx |
+
+
+
+
+
+
+
+
+
+## SyncFavoritesBetweenIEAndMicrosoftEdge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
+```
+
+
+
+
+This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge.
+
+- If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge.
+
+- If you disable or don't configure this setting, employees can't sync their favorites between Internet Explorer and Microsoft Edge.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Turned off/not syncing. |
+| 1 | Turned on/syncing. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SyncFavoritesBetweenIEAndMicrosoftEdge |
+| Friendly Name | Keep favorites in sync between Internet Explorer and Microsoft Edge |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Microsoft Edge |
+| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main |
+| Registry Value Name | SyncFavoritesBetweenIEAndMicrosoftEdge |
+| ADMX File Name | MicrosoftEdge.admx |
+
+
+
+
+**Verify**:
To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
@@ -3329,123 +3818,163 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
+
-
-
+
-
+
+## UnlockHomeButton
-
-**Browser/UnlockHomeButton**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
+
+```User
+./User/Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton
+```
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
+```Device
+./Device/Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton
+```
+
+
+
+By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled.
-
-
+If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL.
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes.
-> [!div class = "checklist"]
-> * User
-> * Device
+Default setting: Disabled or not configured
+Related policy:
+-Configure Home Button
+-Set Home Button URL
+
-
+
+
+
-
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-[!INCLUDE [unlock-home-button-shortdesc](../includes/unlock-home-button-shortdesc.md)]
+
+**Allowed values**:
-
-
-ADMX Info:
-- GP Friendly name: *Unlock Home Button*
-- GP name: *UnlockHomeButton*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Lock down and prevent users from making changes to the settings. |
+| 1 | Let users make changes. |
+
-
-
-Supported values:
+
+**Group policy mapping**:
-- 0 (default) - Lock down and prevent users from making changes to the settings.
-- 1 - Let users make changes.
+| Name | Value |
+|:--|:--|
+| Name | UnlockHomeButton |
+| Friendly Name | Unlock Home Button |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Microsoft Edge |
+| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings |
+| Registry Value Name | UnlockHomeButton |
+| ADMX File Name | MicrosoftEdge.admx |
+
-
-
+
+
+
-
-
+
-
-
+
+## UseSharedFolderForBooks
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
-**Browser/UseSharedFolderForBooks**
+
+```User
+./User/Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks
+```
-
+```Device
+./Device/Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|No|
-|Windows SE|No|No|
-|Business|Yes|No|
-|Enterprise|Yes|No|
-|Education|Yes|No|
+
+
+This policy setting lets you decide whether Microsoft Edge stores books from the Books tab to a default, shared folder for Windows.
+- If you enable this setting, Microsoft Edge automatically downloads book files to a common, shared folder and prevents students and teachers from removing the book from the Books tab. For this to work properly, your students and teachers must be signed in using a school account.
-
-
+- If you disable or don't configure this setting, Microsoft Edge downloads book files to a per-user folder for each student or teacher.
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * User
-> * Device
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
+
+**Allowed values**:
-[!INCLUDE [allow-a-shared-books-folder-shortdesc](../includes/allow-a-shared-books-folder-shortdesc.md)]
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. |
+| 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. |
+
-
-
-ADMX Info:
-- GP Friendly name: *Allow a shared Books folder*
-- GP name: *UseSharedFolderForBooks*
-- GP path: *Windows Components/Microsoft Edge*
-- GP ADMX file name: *MicrosoftEdge.admx*
+
+**Group policy mapping**:
-
-
-Supported values:
+| Name | Value |
+|:--|:--|
+| Name | UseSharedFolderForBooks |
+| Friendly Name | Allow a shared Books folder |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Microsoft Edge |
+| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary |
+| Registry Value Name | UseSharedFolderForBooks |
+| ADMX File Name | MicrosoftEdge.admx |
+
-- 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user.
-- 1 - Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account.
+
+
+
-Most restricted value: 0
-
-
-
+
+
+
+
+
-
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 8c04fb2ffd..6b88a97e01 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -1,86 +1,98 @@
---
-title: Policy CSP - Camera
-description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera.
+title: Camera Policy CSP
+description: Learn more about the Camera Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - Camera
+
+
+
+
+## AllowCamera
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
-## Camera policies
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Camera/AllowCamera
+```
+
-
-
+
+
+This policy setting allow the use of Camera devices on the machine.
+- If you enable or do not configure this policy setting, Camera devices will be enabled.
-
+- If you disable this property setting, Camera devices will be disabled.
+
-
-**Camera/AllowCamera**
+
+
+
-
+
+**Description framework properties**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
-
+
+**Allowed values**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
-> [!div class = "checklist"]
-> * Device
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | L_AllowCamera |
+| Friendly Name | Allow Use of Camera |
+| Location | Computer Configuration |
+| Path | Windows Components > Camera |
+| Registry Key Name | software\Policies\Microsoft\Camera |
+| Registry Value Name | AllowCamera |
+| ADMX File Name | Camera.admx |
+
-
-
-Disables or enables the camera.
+
+
+
-Most restricted value is 0.
+
-
-
-ADMX Info:
-- GP Friendly name: *Allow Use of Camera*
-- GP name: *L_AllowCamera*
-- GP path: *Windows Components/Camera*
-- GP ADMX file name: *Camera.admx*
+
+
+
-
-
-The following list shows the supported values:
+
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-
+## Related articles
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index fc801d1859..6931233c08 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -1,84 +1,52 @@
---
-title: Policy CSP - Cellular
-description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data.
+title: Cellular Policy CSP
+description: Learn more about the Cellular Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - Cellular
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
-
+
+## LetAppsAccessCellularData
-
-## Cellular policies
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData
+```
+
-
-
-
-
-**Cellular/LetAppsAccessCellularData**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting specifies whether Windows apps can access cellular data.
+
+
+
You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.
If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
@@ -89,210 +57,272 @@ If you choose the "Force Deny" option, Windows apps aren't allowed to access cel
If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.
-If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.”
+If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
+
-
-
-ADMX Info:
-- GP Friendly name: *Let Windows apps access cellular data*
-- GP name: *LetAppsAccessCellularData*
-- GP element: *LetAppsAccessCellularData_Enum*
-- GP path: *Network/WWAN Service/Cellular Data Access*
-- GP ADMX file name: *wwansvc.admx*
+
+**Description framework properties**:
-
-
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-- 0 - User is in control
-- 1 - Force Allow
-- 2 - Force Deny
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | User is in control. |
+| 1 | Force Allow. |
+| 2 | Force Deny. |
+
-
+
+**Group policy mapping**:
-
-**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps**
+| Name | Value |
+|:--|:--|
+| Name | LetAppsAccessCellularData |
+| Friendly Name | Let Windows apps access cellular data |
+| Element Name | Default for all apps |
+| Location | Computer Configuration |
+| Path | Network > WWAN Service > Cellular Data Access |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess |
+| ADMX File Name | wwansvc.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## LetAppsAccessCellularData_ForceAllowTheseApps
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+
-
+
+
+
-
-
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+
+**Description framework properties**:
-
-
-ADMX Info:
-- GP Friendly name: *Let Windows apps access cellular data*
-- GP name: *LetAppsAccessCellularData*
-- GP element: *LetAppsAccessCellularData_ForceAllowTheseApps_List*
-- GP path: *Network/WWAN Service/Cellular Data Access*
-- GP ADMX file name: *wwansvc.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
-
-
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | LetAppsAccessCellularData |
+| Friendly Name | Let Windows apps access cellular data |
+| Location | Computer Configuration |
+| Path | Network > WWAN Service > Cellular Data Access |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess |
+| ADMX File Name | wwansvc.admx |
+
-
-**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## LetAppsAccessCellularData_ForceDenyTheseApps
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+
-> [!div class = "checklist"]
-> * Device
+
+
+
-
+
+**Description framework properties**:
-
-
-List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
-
-
-ADMX Info:
-- GP Friendly name: *Let Windows apps access cellular data*
-- GP name: *LetAppsAccessCellularData*
-- GP element: *LetAppsAccessCellularData_ForceDenyTheseApps_List*
-- GP path: *Network/WWAN Service/Cellular Data Access*
-- GP ADMX file name: *wwansvc.admx*
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | LetAppsAccessCellularData |
+| Friendly Name | Let Windows apps access cellular data |
+| Location | Computer Configuration |
+| Path | Network > WWAN Service > Cellular Data Access |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess |
+| ADMX File Name | wwansvc.admx |
+
-
+
+
+
-
-**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps**
+
-
+
+## LetAppsAccessCellularData_UserInControlOfTheseApps
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
+```
+
-
-
+
+
+List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
-
-
-List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string.
+
+**Group policy mapping**:
-
-
-ADMX Info:
-- GP Friendly name: *Let Windows apps access cellular data*
-- GP name: *LetAppsAccessCellularData*
-- GP element: *LetAppsAccessCellularData_UserInControlOfTheseApps_List*
-- GP path: *Network/WWAN Service/Cellular Data Access*
-- GP ADMX file name: *wwansvc.admx*
+| Name | Value |
+|:--|:--|
+| Name | LetAppsAccessCellularData |
+| Friendly Name | Let Windows apps access cellular data |
+| Location | Computer Configuration |
+| Path | Network > WWAN Service > Cellular Data Access |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess |
+| ADMX File Name | wwansvc.admx |
+
-
-
+
+
+
-
+
-
-**Cellular/ShowAppCellularAccessUI**
+
+## ShowAppCellularAccessUI
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cellular/ShowAppCellularAccessUI
+```
+
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX.
-If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page.
-If this policy setting is disabled or isn't configured, the link to the per-application cellular access control page is shown by default.
+- If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page.
+- If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set Per-App Cellular Access UI Visibility*
-- GP name: *ShowAppCellularAccessUI*
-- GP path: *Network/WWAN Service/WWAN UI Settings*
-- GP ADMX file name: *wwansvc.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+**ADMX mapping**:
+| Name | Value |
+|:--|:--|
+| Name | ShowAppCellularAccessUI |
+| Friendly Name | Set Per-App Cellular Access UI Visibility |
+| Location | Computer Configuration |
+| Path | Network > WWAN Service > WWAN UI Settings |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\UISettings |
+| ADMX File Name | wwansvc.admx |
+
-
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
index f8bcc48c1b..e614be7f73 100644
--- a/windows/client-management/mdm/policy-csp-clouddesktop.md
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -1,10 +1,10 @@
---
title: CloudDesktop Policy CSP
-description: Learn more about the CloudDesktop Area in Policy CSP
+description: Learn more about the CloudDesktop Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/09/2022
+ms.date: 01/09/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -42,7 +42,7 @@ This policy allows the user to configure the boot to cloud mode. Boot to Cloud m
This policy supports the below options:
1. Not Configured: Machine will not trigger the Cloud PC connection automatically.
-2. Enable Boot to Cloud Desktop: The user will see that configured Cloud PC Provider application launches automatically. Once the sign-in operation finishes, the user is seamlessly connected to a provisioned Cloud PC.
+2. Enable Boot to Cloud Desktop: Users who have a Cloud PC provisioned will get connected seamlessly to the Cloud PC as they finish sign-in operation.
@@ -64,8 +64,8 @@ This policy supports the below options:
| Value | Description |
|:--|:--|
-| 0 (Default) | Not Configured |
-| 1 | Enable Boot to Cloud Desktop |
+| 0 (Default) | Not Configured. |
+| 1 | Enable Boot to Cloud Desktop. |
diff --git a/windows/client-management/mdm/policy-csp-cloudpc.md b/windows/client-management/mdm/policy-csp-cloudpc.md
index 0c497a0c4e..dd52780e9a 100644
--- a/windows/client-management/mdm/policy-csp-cloudpc.md
+++ b/windows/client-management/mdm/policy-csp-cloudpc.md
@@ -4,7 +4,7 @@ description: Learn more about the CloudPC Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/02/2022
+ms.date: 12/27/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -26,7 +26,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows Insider Preview |
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
@@ -36,6 +36,7 @@ ms.topic: reference
+
This policy is used by IT admin to set the configuration mode of cloud PC.
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index e9849f6706..0254386450 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -1,786 +1,924 @@
---
-title: Policy CSP - Connectivity
-description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access.
+title: Connectivity Policy CSP
+description: Learn more about the Connectivity Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - Connectivity
->[!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> [!TIP]
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
-
+
+## AllowBluetooth
-
-## Connectivity policies
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowBluetooth
+```
+
-
-
-
-
-**Connectivity/AllowBluetooth**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy allows the user to enable Bluetooth or restrict access.
+
+
+Allows the user to enable Bluetooth or restrict access
> [!NOTE]
-> This value isn't supported in Windows 10.
+> This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0.
+
-If this policy isn't set or is deleted, the default value of 2 (Allow) is used.
+
+
+
-Most restricted value is 0.
+
+**Description framework properties**:
-
-
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 2 |
+
-- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user won't be able to turn on Bluetooth.
-- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth.
-- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth.
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 | Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on. |
+| 1 | Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. |
+| 2 (Default) | Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. |
+
-
+
+
+
-
-**Connectivity/AllowCellularData**
+
-
+
+## AllowCellularData
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowCellularData
+```
+
-
-
+
+
+Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
-
+
+**Allowed values**:
-This policy allows the cellular data channel on the device. Device reboot isn't required to enforce the policy.
+| Value | Description |
+|:--|:--|
+| 0 | Do not allow the cellular data channel. The user cannot turn it on. This value is not supported in Windows 10, version 1511. |
+| 1 (Default) | Allow the cellular data channel. The user can turn it off. |
+| 2 | Allow the cellular data channel. The user cannot turn it off. |
+
-
-
-The following list shows the supported values:
+
+
+
-- 0 – Don't allow the cellular data channel. The user can't turn it on. This value isn't supported in Windows 10, version 1511.
-- 1 (default) – Allow the cellular data channel. The user can turn it off.
-- 2 - Allow the cellular data channel. The user can't turn it off.
+
-
-
+
+## AllowCellularDataRoaming
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
-**Connectivity/AllowCellularDataRoaming**
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowCellularDataRoaming
+```
+
-
+
+
+This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming provider network.
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+- If this policy setting is enabled, all automatic and manual connection attempts to roaming provider networks are blocked until the client registers with the home provider network.
+- If this policy setting is not configured or is disabled, clients are allowed to connect to roaming provider Mobile Broadband networks.
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+**Description framework properties**:
-> [!div class = "checklist"]
-> * Device
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
+
+**Allowed values**:
-
-
-Allows or disallows cellular data roaming on the device. Device reboot isn't required to enforce the policy.
+| Value | Description |
+|:--|:--|
+| 0 | Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. |
+| 1 (Default) | Allow cellular data roaming. |
+| 2 | Allow cellular data roaming on. The user cannot turn it off. |
+
-Most restricted value is 0.
+
+**Group policy mapping**:
-
-
-ADMX Info:
-- GP Friendly name: *Prohibit connection to roaming Mobile Broadband networks*
-- GP name: *WCM_DisableRoaming*
-- GP path: *Network/Windows Connection Manager*
-- GP ADMX file name: *WCM.admx*
+| Name | Value |
+|:--|:--|
+| Name | WCM_DisableRoaming |
+| Friendly Name | Prohibit connection to roaming Mobile Broadband networks |
+| Location | Computer Configuration |
+| Path | Network > Windows Connection Manager |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy |
+| Registry Value Name | fBlockRoaming |
+| ADMX File Name | WCM.admx |
+
-
-
-The following list shows the supported values:
+
+
+**Validate**:
-- 0 – Don't allow cellular data roaming. The user can't turn it on. This value isn't supported in Windows 10, version 1511.
-- 1 (default) – Allow cellular data roaming.
-- 2 - Allow cellular data roaming on. The user can't turn it off.
+To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. To validate on a device, perform the following steps:
-
-
-To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
+1. Go to Cellular & SIM.
+2. Click on the SIM (next to the signal strength icon) and select **Properties**.
+3. On the Properties page, select **Data roaming options**.
+
-To validate on devices, perform the following steps:
+
-1. Go to Cellular & SIM.
-2. Click on the SIM (next to the signal strength icon) and select **Properties**.
-3. On the Properties page, select **Data roaming options**.
+
+## AllowConnectedDevices
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowConnectedDevices
+```
+
-
-**Connectivity/AllowConnectedDevices**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
> [!NOTE]
-> This policy requires reboot to take effect.
+> This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
+
-This policy allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
+
+
+
-
-
-The following list shows the supported values:
+
+**Description framework properties**:
-- 1 (default) - Allow (CDP service available).
-- 0 - Disable (CDP service not available).
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
-
+
+**Allowed values**:
-
+| Value | Description |
+|:--|:--|
+| 0 | Disable (CDP service not available). |
+| 1 (Default) | Allow (CDP service available). |
+
-
-**Connectivity/AllowPhonePCLinking**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## AllowNFC
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowNFC
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+This policy is deprecated.
+
-
+
+
+
-
-
-This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC.
+
+**Description framework properties**:
-If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-If you disable this policy setting, the Windows device isn't allowed to be linked to phones, will remove itself from the device list of any linked Phones, and can't participate in 'Continue on PC experiences'.
+
+**Allowed values**:
-If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 (Default) | Enabled. |
+
-
-
-ADMX Info:
-- GP name: *enableMMX*
-- GP ADMX file name: *grouppolicy.admx*
+
+
+
-
-
-This setting supports a range of values between 0 and 1.
+
-- 0 - Don't link
-- 1 (default) - Allow phone-PC linking
+
+## AllowPhonePCLinking
-
-
-Validation:
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowPhonePCLinking
+```
+
+
+
+
+This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC.
+
+- If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences.
+
+- If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences.
+
+- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Do not link. |
+| 1 (Default) | Allow phone-PC linking. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableMMX |
+| Friendly Name | Phone-PC linking on this device |
+| Location | Computer Configuration |
+| Path | System > Group Policy |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| Registry Value Name | EnableMmx |
+| ADMX File Name | GroupPolicy.admx |
+
+
+
+
+**Validate**:
If the Connectivity/AllowPhonePCLinking policy is configured to value 0, add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number.
Device that has previously opt-in to MMX will also stop showing on the device list.
+
-
-
+
-
+
+## AllowUSBConnection
-
-**Connectivity/AllowUSBConnection**
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowUSBConnection
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|No|No|
-|Education|No|No|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
> [!NOTE]
-> Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition.
+> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0.
+
-Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy doesn't affect USB charging.
+
+
+
-Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
+
+**Description framework properties**:
-Most restricted value is 0.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
-
-The following list shows the supported values:
+
+**Allowed values**:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
-
-
+
+
+
-
+
-
-**Connectivity/AllowVPNOverCellular**
+
+## AllowVPNOverCellular
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowVPNOverCellular
+```
+
+
+
+Specifies what type of underlying connections VPN is allowed to use. Most restricted value is 0.
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+**Description framework properties**:
-> [!div class = "checklist"]
-> * Device
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
+
+**Allowed values**:
-
-
-Specifies what type of underlying connections VPN is allowed to use.
+| Value | Description |
+|:--|:--|
+| 0 | VPN is not allowed over cellular. |
+| 1 (Default) | VPN can use any connection, including cellular. |
+
-Most restricted value is 0.
+
+
+
-
-
-The following list shows the supported values:
+
-- 0 – VPN isn't allowed over cellular.
-- 1 (default) – VPN can use any connection, including cellular.
+
+## AllowVPNRoamingOverCellular
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowVPNRoamingOverCellular
+```
+
-
-**Connectivity/AllowVPNRoamingOverCellular**
+
+
+Prevents the device from connecting to VPN when the device roams over cellular networks. Most restricted value is 0.
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
-
+
+**Allowed values**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
-> [!div class = "checklist"]
-> * Device
+
+
+
-
+
-
-
-This policy prevents the device from connecting to VPN when the device roams over cellular networks.
+
+## DiablePrintingOverHTTP
-Most restricted value is 0.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-
-The following list shows the supported values:
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/DiablePrintingOverHTTP
+```
+
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Connectivity/DisablePrintingOverHTTP**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting specifies whether to allow printing over HTTP from this client.
-Printing over HTTP allows a client to print to printers on the intranet and the Internet.
+Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
-Note: This policy setting affects the client side of Internet printing only. It doesn't prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
+> [!NOTE]
+> This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
-If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
+- If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
-If you disable or don't configure this policy setting, users can choose to print to Internet printers over HTTP.
+- If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP.
Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Turn off printing over HTTP*
-- GP name: *DisableHTTPPrinting_2*
-- GP path: *Internet Communication settings*
-- GP ADMX file name: *ICM.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-
-**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
+| Name | Value |
+|:--|:--|
+| Name | DisableHTTPPrinting_2 |
+| Friendly Name | Turn off printing over HTTP |
+| Location | Computer Configuration |
+| Path | InternetManagement > Internet Communication settings |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers |
+| Registry Value Name | DisableHTTPPrinting |
+| ADMX File Name | ICM.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## DisableDownloadingOfPrintDriversOverHTTP
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableDownloadingOfPrintDriversOverHTTP
+```
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting specifies whether to allow this client to download print driver packages over HTTP.
To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
-Note: This policy setting doesn't prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that aren't already installed locally.
+> [!NOTE]
+> This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.
-If you enable this policy setting, print drivers can't be downloaded over HTTP.
+- If you enable this policy setting, print drivers cannot be downloaded over HTTP.
-If you disable or don't configure this policy setting, users can download print drivers over HTTP.
+- If you disable or do not configure this policy setting, users can download print drivers over HTTP.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Turn off downloading of print drivers over HTTP*
-- GP name: *DisableWebPnPDownload_2*
-- GP path: *Internet Communication settings*
-- GP ADMX file name: *ICM.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-
-**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
+| Name | Value |
+|:--|:--|
+| Name | DisableWebPnPDownload_2 |
+| Friendly Name | Turn off downloading of print drivers over HTTP |
+| Location | Computer Configuration |
+| Path | InternetManagement > Internet Communication settings |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers |
+| Registry Value Name | DisableWebPnPDownload |
+| ADMX File Name | ICM.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
+```
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards.
These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
-If you enable this policy setting, Windows doesn't download providers, and only the service providers that are cached in the local registry are displayed.
+- If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed.
-If you disable or don't configure this policy setting, a list of providers is downloaded when the user uses the web publishing or online ordering wizards.
+- If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.
-For more information, including details on specifying service providers in the registry, see the documentation for the web publishing and online ordering wizards.
+See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Turn off Internet download for Web publishing and online ordering wizards*
-- GP name: *ShellPreventWPWDownload_2*
-- GP path: *Internet Communication settings*
-- GP ADMX file name: *ICM.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-
-**Connectivity/DisallowNetworkConnectivityActiveTests**
+| Name | Value |
+|:--|:--|
+| Name | ShellPreventWPWDownload_2 |
+| Friendly Name | Turn off Internet download for Web publishing and online ordering wizards |
+| Location | Computer Configuration |
+| Path | InternetManagement > Internet Communication settings |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
+| Registry Value Name | NoWebServices |
+| ADMX File Name | ICM.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## DisallowNetworkConnectivityActiveTests
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/DisallowNetworkConnectivityActiveTests
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+This policy setting turns off the active tests performed by the Windows Network Connectivity Status Indicator (NCSI) to determine whether your computer is connected to the Internet or to a more limited network.
-
+As part of determining the connectivity level, NCSI performs one of two active tests: downloading a page from a dedicated Web server or making a DNS request for a dedicated address.
-
-
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to `
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-**Connectivity/HardenedUNCPaths**
+
+**Allowed values**:
-
+| Value | Description |
+|:--|:--|
+| 1 | Allow. |
+| 0 (Default) | Block. |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+**Group policy mapping**:
+| Name | Value |
+|:--|:--|
+| Name | NoActiveProbe |
+| Friendly Name | Turn off Windows Network Connectivity Status Indicator active tests |
+| Location | Computer Configuration |
+| Path | InternetManagement > Internet Communication settings |
+| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator |
+| Registry Value Name | NoActiveProbe |
+| ADMX File Name | ICM.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
+
+## HardenedUNCPaths
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/HardenedUNCPaths
+```
+
+
+
+
This policy setting configures secure access to UNC paths.
-If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling other security requirements.
+- If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
+
-
+
+
+For more information, see [MS15-011: Vulnerability in Group Policy could allow remote code execution](https://support.microsoft.com/kb/3000483).
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Hardened UNC Paths*
-- GP name: *Pol_HardenedPaths*
-- GP path: *Network/Network Provider*
-- GP ADMX file name: *networkprovider.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-
-**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
+| Name | Value |
+|:--|:--|
+| Name | Pol_HardenedPaths |
+| Friendly Name | Hardened UNC Paths |
+| Location | Computer Configuration |
+| Path | Network > Network Provider |
+| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths |
+| ADMX File Name | NetworkProvider.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## ProhibitInstallationAndConfigurationOfNetworkBridge
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+Determines whether a user can install and configure the Network Bridge.
-
+> [!IMPORTANT]
+> This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
-
-
-This policy determines whether a user can install and configure the Network Bridge.
+The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.
-Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting doesn't apply.
+- If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer.
+
-The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segments together. This connection appears in the Network Connections folder.
+
+
+
-If you disable this setting or don't configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting doesn't remove an existing Network Bridge from the user's computer.
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-ADMX Info:
-- GP Friendly name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
-- GP name: *NC_AllowNetBridge_NLA*
-- GP path: *Network/Network Connections*
-- GP ADMX file name: *NetworkConnections.admx*
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | NC_AllowNetBridge_NLA |
+| Friendly Name | Prohibit installation and configuration of Network Bridge on your DNS domain network |
+| Location | Computer Configuration |
+| Path | Network > Network Connections |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections |
+| Registry Value Name | NC_AllowNetBridge_NLA |
+| ADMX File Name | NetworkConnections.admx |
+
-
+
+
+
+
+
+
+
-
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index e8769b8986..f955123b29 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -1,78 +1,56 @@
---
-title: Policy CSP - ControlPolicyConflict
-description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device.
+title: ControlPolicyConflict Policy CSP
+description: Learn more about the ControlPolicyConflict Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.reviewer:
-manager: aaroncz
-ms.date: 12/31/2017
+ms.topic: reference
---
+
+
+
# Policy CSP - ControlPolicyConflict
+
+
+
+
+## MDMWinsOverGP
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
-## ControlPolicyConflict policies
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
+```
+
-
-**ControlPolicyConflict/MDMWinsOverGP**
+
+
+If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies.
+
-> [!NOTE]
-> This setting doesn't apply to the following types of group policies:
->
-> - If they don't map to an MDM policy. For example, Windows Settings > Security Settings > Public Key Policies.
-> - If they are group policies that aren't defined by an ADMX template. For example, Windows Settings > Scripts.
-> - If they have list entries. For example, Administrative Templates > Windows Components > ActiveX Installer Service > Approved Installation Sites for ActiveX Controls.
-> - If they are in the Windows Update category.
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
+
+
> [!NOTE]
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs.
-
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel.
The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
> [!NOTE]
> This policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
-The following list shows the supported values:
-
-- 0 (default)
-- 1 - The MDM policy is used and the GP policy is blocked.
-
The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy.
This ensures that:
@@ -91,18 +69,39 @@ For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group
](./policies-in-policy-csp-supported-by-group-policy.md).
The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**.
+
-
-
-The following list shows the supported values:
+
+**Description framework properties**:
-- 0 (default)
-- 1 - The MDM policy is used and the GP policy is blocked.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
-
+
+**Allowed values**:
+| Value | Description |
+|:--|:--|
+| 0 (Default) | . |
+| 1 | The MDM policy is used and the GP policy is blocked. |
+
+
+
+
-
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 6b8fff0b9e..395755ed2e 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -1,200 +1,212 @@
---
-title: Policy CSP - CredentialProviders
-description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN.
+title: CredentialProviders Policy CSP
+description: Learn more about the CredentialProviders Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - CredentialProviders
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
-
+
+## AllowPINLogon
-
-## CredentialProviders policies
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/CredentialProviders/AllowPINLogon
+```
+
-
-
-
-
-**CredentialProviders/AllowPINLogon**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
-If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
+- If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
-If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
+- If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
> [!NOTE]
> The user's domain password will be cached in the system vault when using this feature.
To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Turn on convenience PIN sign-in*
-- GP name: *AllowDomainPINLogon*
-- GP path: *System/Logon*
-- GP ADMX file name: *credentialproviders.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-
-**CredentialProviders/BlockPicturePassword**
+| Name | Value |
+|:--|:--|
+| Name | AllowDomainPINLogon |
+| Friendly Name | Turn on convenience PIN sign-in |
+| Location | Computer Configuration |
+| Path | System > Logon |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| Registry Value Name | AllowDomainPINLogon |
+| ADMX File Name | CredentialProviders.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## BlockPicturePassword
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/CredentialProviders/BlockPicturePassword
+```
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to control whether a domain user can sign in using a picture password.
-If you enable this policy setting, a domain user can't set up or sign in with a picture password.
+- If you enable this policy setting, a domain user can't set up or sign in with a picture password.
-If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
+- If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
-> [!NOTE]
-> The user's domain password will be cached in the system vault when using this feature.
+**Note** that the user's domain password will be cached in the system vault when using this feature.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Turn off picture password sign-in*
-- GP name: *BlockDomainPicturePassword*
-- GP path: *System/Logon*
-- GP ADMX file name: *credentialproviders.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-
-**CredentialProviders/DisableAutomaticReDeploymentCredentials**
+| Name | Value |
+|:--|:--|
+| Name | BlockDomainPicturePassword |
+| Friendly Name | Turn off picture password sign-in |
+| Location | Computer Configuration |
+| Path | System > Logon |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| Registry Value Name | BlockDomainPicturePassword |
+| ADMX File Name | CredentialProviders.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## DisableAutomaticReDeploymentCredentials
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students.
+
-
+
+
+
-
-
-Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
+
+**Description framework properties**:
-The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
-
-The following list shows the supported values:
+
+**Allowed values**:
-0 - Enable the visibility of the credentials for Autopilot Reset
-1 - Disable visibility of the credentials for Autopilot Reset
+| Value | Description |
+|:--|:--|
+| 0 | Enable the visibility of the credentials for Autopilot Reset. |
+| 1 (Default) | Disable visibility of the credentials for Autopilot Reset. |
+
-
-
-
+
+
+
+
+
+
+
-
+
-## Related topics
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index 1a40f20b82..36ad871eab 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -1,95 +1,98 @@
---
-title: Policy CSP - CredentialsDelegation
-description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials.
+title: CredentialsDelegation Policy CSP
+description: Learn more about the CredentialsDelegation Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - CredentialsDelegation
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
-
+
+## RemoteHostAllowsDelegationOfNonExportableCredentials
-
-## CredentialsDelegation policies
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials
+```
+
+
+
+Remote host allows delegation of non-exportable credentials
-
+When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host.
-
-**CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials**
+- If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
-
+- If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-> [!div class = "checklist"]
-> * Device
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | AllowProtectedCreds |
+| Friendly Name | Remote host allows delegation of non-exportable credentials |
+| Location | Computer Configuration |
+| Path | System > Credentials Delegation |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation |
+| Registry Value Name | AllowProtectedCreds |
+| ADMX File Name | CredSsp.admx |
+
-
-
-Remote host allows delegation of non-exportable credentials.
+
+
+
-When credential delegation is being used, devices provide an exportable version of credentials to the remote host. This version exposes users to the risk of credential theft from attackers on the remote host.
+
-If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
+
+
+
-If you disable or don't configure this policy setting, Restricted Administration and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host.
+
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Remote host allows delegation of non-exportable credentials*
-- GP name: *AllowProtectedCreds*
-- GP path: *System/Credentials Delegation*
-- GP ADMX file name: *CredSsp.admx*
-
-
-
-
-
-
-
-
-
-## Related topics
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index cc614a22ef..060389719e 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -1,149 +1,164 @@
---
-title: Policy CSP - CredentialsUI
-description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences.
+title: CredentialsUI Policy CSP
+description: Learn more about the CredentialsUI Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - CredentialsUI
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## CredentialsUI policies
+
+## DisablePasswordReveal
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal
+```
-
+```Device
+./Device/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal
+```
+
-
-**CredentialsUI/DisablePasswordReveal**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
-If you enable this policy setting, the password reveal button won't be displayed after a user types a password in the password entry text box.
+- If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
-If you disable or don't configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
+- If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
-This policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
+The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Do not display the password reveal button*
-- GP name: *DisablePasswordReveal*
-- GP path: *Windows Components/Credential User Interface*
-- GP ADMX file name: *credui.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-
-**CredentialsUI/EnumerateAdministrators**
+| Name | Value |
+|:--|:--|
+| Name | DisablePasswordReveal |
+| Friendly Name | Do not display the password reveal button |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Credential User Interface |
+| Registry Key Name | Software\Policies\Microsoft\Windows\CredUI |
+| Registry Value Name | DisablePasswordReveal |
+| ADMX File Name | CredUI.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## EnumerateAdministrators
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/CredentialsUI/EnumerateAdministrators
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
-
+- If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
-
-
-This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts aren't displayed when the user attempts to elevate a running application.
+- If you disable this policy setting, users will always be required to type a user name and password to elevate.
+
-If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
+
+
+
-If you disable this policy setting, users will always be required to type a user name and password to elevate.
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-ADMX Info:
-- GP Friendly name: *Enumerate administrator accounts on elevation*
-- GP name: *EnumerateAdministrators*
-- GP path: *Windows Components/Credential User Interface*
-- GP ADMX file name: *credui.admx*
+**ADMX mapping**:
-
-
-
+| Name | Value |
+|:--|:--|
+| Name | EnumerateAdministrators |
+| Friendly Name | Enumerate administrator accounts on elevation |
+| Location | Computer Configuration |
+| Path | Windows Components > Credential User Interface |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\CredUI |
+| Registry Value Name | EnumerateAdministrators |
+| ADMX File Name | CredUI.admx |
+
+
+
+
+
-
+
+
+
-## Related topics
+
+
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 709df7bf13..53aabcf9bf 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -1,141 +1,129 @@
---
-title: Policy CSP - Cryptography
-description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy.
+title: Cryptography Policy CSP
+description: Learn more about the Cryptography Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - Cryptography
+
+
+
+
+## AllowFipsAlgorithmPolicy
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-
-## Cryptography policies
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cryptography/AllowFipsAlgorithmPolicy
+```
+
-
+
+
+Allows or disallows the Federal Information Processing Standard (FIPS) policy.
+
+
+
+
-
+
+**Description framework properties**:
-
-**Cryptography/AllowFipsAlgorithmPolicy**
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
+
+**Allowed values**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Value | Description |
+|:--|:--|
+| 1 | Allow. |
+| 0 (Default) | Block. |
+
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing |
+| Path | Windows Settings > Security Settings > Local Policies > Security Options |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
-
+
+## TLSCipherSuites
-
-
-This policy setting allows or disallows the Federal Information Processing Standard (FIPS) policy.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-
-
-ADMX Info:
-- GP Friendly name: *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*
-- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/Cryptography/TLSCipherSuites
+```
+
-
-
-The following list shows the supported values:
+
+
+Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
+
-0 (default) – Not allowed.
-1– Allowed.
-
-
+
+
+
-
-
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+
-
+
+
+
-
-**Cryptography/TLSCipherSuites**
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 5e5484db98..6c2609c4c7 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -1,129 +1,122 @@
---
-title: Policy CSP - DataProtection
-description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows.
+title: DataProtection Policy CSP
+description: Learn more about the DataProtection Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DataProtection
+
+
+
+
+## AllowDirectMemoryAccess
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
-## DataProtection policies
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DataProtection/AllowDirectMemoryAccess
+```
+
-
+
+
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. Most restricted value is 0.
+
+
+
+
-
+
+**Description framework properties**:
-
-**DataProtection/AllowDirectMemoryAccess**
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-
+
+**Allowed values**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## LegacySelectiveWipeID
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DataProtection/LegacySelectiveWipeID
+```
+
-
-
-This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows.
-
-Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled.
-
-Most restricted value is 0.
-
-
-
-The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**DataProtection/LegacySelectiveWipeID**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-> [!IMPORTANT]
-> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
-
-
-Setting used by Windows 8.1 Selective Wipe.
+
+
+Important. This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. Setting used by Windows 8. 1 Selective Wipe
> [!NOTE]
-> This policy is not recommended for use in Windows 10.
+> This policy is not recommended for use in Windows 10.
+
-
-
-
+
+
+
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+
+
-## Related topics
+
+
+
+
+
+
+
+
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index da61efc35d..f01d83375c 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -1,112 +1,168 @@
---
-title: Policy CSP - DataUsage
-description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine.
+title: DataUsage Policy CSP
+description: Learn more about the DataUsage Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DataUsage
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## DataUsage policies
+
+## SetCost3G
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DataUsage/SetCost3G
+```
+
-
+
+
+This policy setting configures the cost of 3G connections on the local machine.
-
-**DataUsage/SetCost3G**
-
-
-
-
-This policy is deprecated in Windows 10, version 1809.
-
-
-
-
-
-
-
-**DataUsage/SetCost4G**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting configures the cost of 4G connections on the local machine.
-
-If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
+- If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+
- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+
- Variable: This connection is costed on a per byte basis.
-If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
+- If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
+
-
+
+
+> [!NOTE]
+> This policy is deprecated.
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set 4G Cost*
-- GP name: *SetCost4G*
-- GP path: *Network/WWAN Service/WWAN Media Cost*
-- GP ADMX file name: *wwansvc.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+**ADMX mapping**:
+| Name | Value |
+|:--|:--|
+| Name | SetCost3G |
+| Friendly Name | Set 3G Cost |
+| Location | Computer Configuration |
+| Path | Network > WWAN Service > WWAN Media Cost |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\NetCost |
+| ADMX File Name | wwansvc.admx |
+
-
+
+
+
-## Related topics
+
+
+
+## SetCost4G
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DataUsage/SetCost4G
+```
+
+
+
+
+This policy setting configures the cost of 4G connections on the local machine.
+
+- If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
+
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+
+- Variable: This connection is costed on a per byte basis.
+
+- If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetCost4G |
+| Friendly Name | Set 4G Cost |
+| Location | Computer Configuration |
+| Path | Network > WWAN Service > WWAN Media Cost |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\NetCost |
+| ADMX File Name | wwansvc.admx |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index efc7a8a312..eb25db2dad 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,10 +1,10 @@
---
title: Defender Policy CSP
-description: Learn more about the Defender Area in Policy CSP
+description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/02/2022
+ms.date: 01/09/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -36,11 +36,12 @@ ms.topic: reference
-This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
+
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
-If you enable or do not configure this setting, archive files will be scanned.
+- If you enable or do not configure this setting, archive files will be scanned.
-If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans.
+- If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans.
@@ -102,11 +103,12 @@ If you disable this setting, archive files will not be scanned. However, archive
+
This policy setting allows you to configure behavior monitoring.
-If you enable or do not configure this setting, behavior monitoring will be enabled.
+- If you enable or do not configure this setting, behavior monitoring will be enabled.
-If you disable this setting, behavior monitoring will be disabled.
+- If you disable this setting, behavior monitoring will be disabled.
@@ -168,6 +170,7 @@ If you disable this setting, behavior monitoring will be disabled.
+
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.
@@ -181,9 +184,9 @@ Basic membership will send basic information to Microsoft about software that ha
Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer.
-If you enable this setting, you will join Microsoft MAPS with the membership specified.
+- If you enable this setting, you will join Microsoft MAPS with the membership specified.
-If you disable or do not configure this setting, you will not join Microsoft MAPS.
+- If you disable or do not configure this setting, you will not join Microsoft MAPS.
In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership.
@@ -222,7 +225,6 @@ In Windows 10, Basic membership is no longer available, so setting the value to
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > MAPS |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet |
-| Registry Value Name | SpynetReporting |
| ADMX File Name | WindowsDefender.admx |
@@ -248,11 +250,12 @@ In Windows 10, Basic membership is no longer available, so setting the value to
+
This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients.
-If you enable this setting, e-mail scanning will be enabled.
+- If you enable this setting, e-mail scanning will be enabled.
-If you disable or do not configure this setting, e-mail scanning will be disabled.
+- If you disable or do not configure this setting, e-mail scanning will be disabled.
@@ -314,11 +317,12 @@ If you disable or do not configure this setting, e-mail scanning will be disable
+
This policy setting allows you to configure scanning mapped network drives.
-If you enable this setting, mapped network drives will be scanned.
+- If you enable this setting, mapped network drives will be scanned.
-If you disable or do not configure this setting, mapped network drives will not be scanned.
+- If you disable or do not configure this setting, mapped network drives will not be scanned.
@@ -380,11 +384,12 @@ If you disable or do not configure this setting, mapped network drives will not
+
This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
-If you enable this setting, removable drives will be scanned during any type of scan.
+- If you enable this setting, removable drives will be scanned during any type of scan.
-If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
+- If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
@@ -446,6 +451,7 @@ If you disable or do not configure this setting, removable drives will not be sc
+
Allows or disallows Windows Defender Intrusion Prevention functionality.
@@ -494,11 +500,12 @@ Allows or disallows Windows Defender Intrusion Prevention functionality.
+
This policy setting allows you to configure scanning for all downloaded files and attachments.
-If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.
+- If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.
-If you disable this setting, scanning for all downloaded files and attachments will be disabled.
+- If you disable this setting, scanning for all downloaded files and attachments will be disabled.
@@ -560,11 +567,12 @@ If you disable this setting, scanning for all downloaded files and attachments w
+
This policy setting allows you to configure monitoring for file and program activity.
-If you enable or do not configure this setting, monitoring for file and program activity will be enabled.
+- If you enable or do not configure this setting, monitoring for file and program activity will be enabled.
-If you disable this setting, monitoring for file and program activity will be disabled.
+- If you disable this setting, monitoring for file and program activity will be disabled.
@@ -626,13 +634,8 @@ If you disable this setting, monitoring for file and program activity will be di
-This policy turns off real-time protection in Microsoft Defender Antivirus.
-
-Real-time protection consists of always-on scanning with file and process behavior monitoring and heuristics. When real-time protection is on, Microsoft Defender Antivirus detects malware and potentially unwanted software that attempts to install itself or run on your device, and prompts you to take action on malware detections.
-
-If you enable this policy setting, real-time protection is turned off.
-
-If you either disable or do not configure this policy setting, real-time protection is turned on.
+
+Allows or disallows Windows Defender Realtime Monitoring functionality.
@@ -694,11 +697,12 @@ If you either disable or do not configure this policy setting, real-time protect
+
This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
-If you enable this setting, network files will be scanned.
+- If you enable this setting, network files will be scanned.
-If you disable or do not configure this setting, network files will not be scanned.
+- If you disable or do not configure this setting, network files will not be scanned.
@@ -760,6 +764,7 @@ If you disable or do not configure this setting, network files will not be scann
+
Allows or disallows Windows Defender Script Scanning functionality.
@@ -808,8 +813,9 @@ Allows or disallows Windows Defender Script Scanning functionality.
+
This policy setting allows you to configure whether or not to display AM UI to the users.
-If you enable this setting AM UI won't be available to users.
+- If you enable this setting AM UI won't be available to users.
@@ -871,13 +877,14 @@ If you enable this setting AM UI won't be available to users.
+
Exclude files and paths from Attack Surface Reduction (ASR) rules.
Enabled:
Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
Enter each rule on a new line as a name-value pair:
-- Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder
-- Value column: Enter ""0"" for each item
+- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder
+- Value column: Enter "0" for each item
Disabled:
No exclusions will be applied to the ASR rules.
@@ -913,7 +920,6 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR |
-| Registry Value Name | ExploitGuard_ASR_ASROnlyExclusions |
| ADMX File Name | WindowsDefender.admx |
@@ -939,6 +945,7 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s
+
Set the state for each Attack Surface Reduction (ASR) rule.
After enabling this setting, you can set each rule to the following in the Options section:
@@ -963,11 +970,13 @@ The following status IDs are permitted under the value column:
- 5 (Not Configured)
- 6 (Warn)
-
Example:
-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0
-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1
-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2
+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+0
+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+1
+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+2
Disabled:
No ASR rules will be configured.
@@ -975,7 +984,7 @@ No ASR rules will be configured.
Not configured:
Same as Disabled.
-You can exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting.
+You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting.
@@ -1002,7 +1011,6 @@ You can exclude folders or files in the ""Exclude files and paths from Attack Su
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR |
-| Registry Value Name | ExploitGuard_ASR_Rules |
| ADMX File Name | WindowsDefender.admx |
@@ -1028,11 +1036,12 @@ You can exclude folders or files in the ""Exclude files and paths from Attack Su
+
This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50.
-If you enable this setting, CPU utilization will not exceed the percentage specified.
+- If you enable this setting, CPU utilization will not exceed the percentage specified.
-If you disable or do not configure this setting, CPU utilization will not exceed the default value.
+- If you disable or do not configure this setting, CPU utilization will not exceed the default value.
@@ -1061,7 +1070,6 @@ If you disable or do not configure this setting, CPU utilization will not exceed
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
-| Registry Value Name | AvgCPULoadFactor |
| ADMX File Name | WindowsDefender.admx |
@@ -1087,13 +1095,14 @@ If you disable or do not configure this setting, CPU utilization will not exceed
+
This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before running a scan.
This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or to the ones started from the command line using "mpcmdrun -Scan".
-If you enable this setting, a check for new security intelligence will occur before running a scan.
+- If you enable this setting, a check for new security intelligence will occur before running a scan.
-If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence.
+- If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence.
@@ -1115,8 +1124,8 @@ If you disable this setting or do not configure this setting, the scan will star
| Value | Description |
|:--|:--|
-| 0 (Default) | Disabled |
-| 1 | Enabled |
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
@@ -1129,7 +1138,6 @@ If you disable this setting or do not configure this setting, the scan will star
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
-| Registry Value Name | CheckForSignaturesBeforeRunningScan |
| ADMX File Name | WindowsDefender.admx |
@@ -1155,7 +1163,11 @@ If you disable this setting or do not configure this setting, the scan will star
-This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. NoteThis feature requires the Join Microsoft MAPS setting enabled in order to function.
+
+This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site
+
+> [!NOTE]
+> This feature requires the Join Microsoft MAPS setting enabled in order to function.
@@ -1177,10 +1189,10 @@ This policy setting determines how aggressive Windows Defender Antivirus will be
| Value | Description |
|:--|:--|
-| 0 (Default) | NotConfigured |
-| 2 | High |
-| 4 | HighPlus |
-| 6 | ZeroTolerance |
+| 0 (Default) | NotConfigured. |
+| 2 | High. |
+| 4 | HighPlus. |
+| 6 | ZeroTolerance. |
@@ -1188,13 +1200,12 @@ This policy setting determines how aggressive Windows Defender Antivirus will be
| Name | Value |
|:--|:--|
-| Name | MpCloudBlockLevel |
+| Name | MpEngine_MpCloudBlockLevel |
| Friendly Name | Select cloud protection level |
| Element Name | Select cloud blocking level |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > MpEngine |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine |
-| Registry Value Name | MpCloudBlockLevel |
| ADMX File Name | WindowsDefender.admx |
@@ -1220,7 +1231,11 @@ This policy setting determines how aggressive Windows Defender Antivirus will be
-This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. NoteThis feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required.
+
+This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds
+
+> [!NOTE]
+> This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required.
@@ -1243,13 +1258,12 @@ This feature allows Windows Defender Antivirus to block a suspicious file for up
| Name | Value |
|:--|:--|
-| Name | MpBafsExtendedTimeout |
+| Name | MpEngine_MpBafsExtendedTimeout |
| Friendly Name | Configure extended cloud check |
| Element Name | Specify the extended cloud check time in seconds |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > MpEngine |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine |
-| Registry Value Name | MpBafsExtendedTimeout |
| ADMX File Name | WindowsDefender.admx |
@@ -1275,6 +1289,7 @@ This feature allows Windows Defender Antivirus to block a suspicious file for up
+
Add additional applications that should be considered "trusted" by controlled folder access.
These applications are allowed to modify or delete files in controlled folder access folders.
@@ -1320,7 +1335,6 @@ Default system folders are automatically guarded, but you can add folders in the
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
-| Registry Value Name | ExploitGuard_ControlledFolderAccess_AllowedApplications |
| ADMX File Name | WindowsDefender.admx |
@@ -1346,6 +1360,7 @@ Default system folders are automatically guarded, but you can add folders in the
+
Specify additional folders that should be guarded by the Controlled folder access feature.
Files in these folders cannot be modified or deleted by untrusted applications.
@@ -1392,7 +1407,6 @@ Microsoft Defender Antivirus automatically determines which applications can be
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
-| Registry Value Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders |
| ADMX File Name | WindowsDefender.admx |
@@ -1418,11 +1432,12 @@ Microsoft Defender Antivirus automatically determines which applications can be
+
This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.
-If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.
+- If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.
-If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.
+- If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.
@@ -1451,7 +1466,6 @@ If you disable or do not configure this setting, items will be kept in the quara
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Quarantine |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine |
-| Registry Value Name | PurgeItemsAfterDelay |
| ADMX File Name | WindowsDefender.admx |
@@ -1477,11 +1491,12 @@ If you disable or do not configure this setting, items will be kept in the quara
-This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
+
+This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
+- If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
-If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
+- If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
@@ -1503,8 +1518,8 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu
| Value | Description |
|:--|:--|
-| 0 | Enabled |
-| 1 (Default) | Disabled |
+| 0 | Enabled. |
+| 1 (Default) | Disabled. |
@@ -1517,7 +1532,6 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
-| Registry Value Name | DisableCatchupFullScan |
| ADMX File Name | WindowsDefender.admx |
@@ -1543,11 +1557,12 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu
-This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
+
+This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
+- If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
-If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.
+- If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.
@@ -1569,8 +1584,8 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu
| Value | Description |
|:--|:--|
-| 0 | Enabled |
-| 1 (Default) | Disabled |
+| 0 | Enabled. |
+| 1 (Default) | Disabled. |
@@ -1583,7 +1598,6 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
-| Registry Value Name | DisableCatchupQuickScan |
| ADMX File Name | WindowsDefender.admx |
@@ -1609,6 +1623,7 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu
+
Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to:
- Modify or delete files in protected folders, such as the Documents folder
- Write to disk sectors
@@ -1624,21 +1639,18 @@ The following will be blocked:
- Attempts by untrusted apps to write to disk sectors
The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
-
Disabled:
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors
These attempts will not be recorded in the Windows event log.
-
Audit Mode:
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders
- Attempts by untrusted apps to write to disk sectors
The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124.
-
Block disk modification only:
The following will be blocked:
- Attempts by untrusted apps to write to disk sectors
@@ -1648,7 +1660,6 @@ The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to modify or delete files in protected folders
These attempts will not be recorded in the Windows event log.
-
Audit disk modification only:
The following will not be blocked and will be allowed to run:
- Attempts by untrusted apps to write to disk sectors
@@ -1679,9 +1690,9 @@ Same as Disabled.
| Value | Description |
|:--|:--|
-| 0 (Default) | Disabled |
-| 1 | Enabled |
-| 2 | Audit Mode |
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+| 2 | Audit Mode. |
@@ -1695,7 +1706,6 @@ Same as Disabled.
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
-| Registry Value Name | EnableControlledFolderAccess |
| ADMX File Name | WindowsDefender.admx |
@@ -1721,11 +1731,12 @@ Same as Disabled.
+
This policy setting allows you to enable or disable low CPU priority for scheduled scans.
-If you enable this setting, low CPU priority will be used during scheduled scans.
+- If you enable this setting, low CPU priority will be used during scheduled scans.
-If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
+- If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
@@ -1747,8 +1758,8 @@ If you disable or do not configure this setting, not changes will be made to CPU
| Value | Description |
|:--|:--|
-| 0 (Default) | Disabled |
-| 1 | Enabled |
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
@@ -1761,7 +1772,6 @@ If you disable or do not configure this setting, not changes will be made to CPU
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
-| Registry Value Name | LowCpuPriority |
| ADMX File Name | WindowsDefender.admx |
@@ -1787,6 +1797,7 @@ If you disable or do not configure this setting, not changes will be made to CPU
+
Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet.
Enabled:
@@ -1820,9 +1831,9 @@ Same as Disabled.
| Value | Description |
|:--|:--|
-| 0 (Default) | Disabled |
-| 1 | Enabled (block mode) |
-| 2 | Enabled (audit mode) |
+| 0 (Default) | Disabled. |
+| 1 | Enabled (block mode). |
+| 2 | Enabled (audit mode). |
@@ -1835,7 +1846,6 @@ Same as Disabled.
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection |
-| Registry Value Name | EnableNetworkProtection |
| ADMX File Name | WindowsDefender.admx |
@@ -1861,6 +1871,7 @@ Same as Disabled.
+
Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj.
@@ -1889,7 +1900,6 @@ Allows an administrator to specify a list of file type extensions to ignore duri
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Exclusions |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions |
-| Registry Value Name | Exclusions_Extensions |
| ADMX File Name | WindowsDefender.admx |
@@ -1915,6 +1925,7 @@ Allows an administrator to specify a list of file type extensions to ignore duri
+
Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1.
@@ -1943,7 +1954,6 @@ Allows an administrator to specify a list of directory paths to ignore during a
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Exclusions |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions |
-| Registry Value Name | Exclusions_Paths |
| ADMX File Name | WindowsDefender.admx |
@@ -1969,7 +1979,11 @@ Allows an administrator to specify a list of directory paths to ignore during a
-Allows an administrator to specify a list of files opened by processes to ignore during a scan. ImportantThe process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe.
+
+Allows an administrator to specify a list of files opened by processes to ignore during a scan
+
+> [!IMPORTANT]
+> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C\Example. exe|C\Example1.exe.
@@ -1997,7 +2011,6 @@ Allows an administrator to specify a list of files opened by processes to ignore
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Exclusions |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions |
-| Registry Value Name | Exclusions_Processes |
| ADMX File Name | WindowsDefender.admx |
@@ -2023,6 +2036,7 @@ Allows an administrator to specify a list of files opened by processes to ignore
+
Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer.
Enabled:
@@ -2071,7 +2085,6 @@ Same as Disabled.
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender |
-| Registry Value Name | PUAProtection |
| ADMX File Name | WindowsDefender.admx |
@@ -2097,20 +2110,21 @@ Same as Disabled.
+
This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role.
-Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes.
+**Note** that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes.
-The options for this setting are mutually exclusive:
+The options for this setting are mutually exclusive
0 = Scan incoming and outgoing files (default)
1 = Scan incoming files only
2 = Scan outgoing files only
Any other value, or if the value does not exist, resolves to the default (0).
-If you enable this setting, the specified type of monitoring will be enabled.
+- If you enable this setting, the specified type of monitoring will be enabled.
-If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled.
+- If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled.
@@ -2148,7 +2162,6 @@ If you disable or do not configure this setting, monitoring for incoming and out
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection |
-| Registry Value Name | RealtimeScanDirection |
| ADMX File Name | WindowsDefender.admx |
@@ -2174,13 +2187,14 @@ If you disable or do not configure this setting, monitoring for incoming and out
+
This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are:
1 = Quick Scan (default)
2 = Full Scan
-If you enable this setting, the scan type will be set to the specified value.
+- If you enable this setting, the scan type will be set to the specified value.
-If you disable or do not configure this setting, the default scan type will used.
+- If you disable or do not configure this setting, the default scan type will used.
@@ -2202,8 +2216,8 @@ If you disable or do not configure this setting, the default scan type will used
| Value | Description |
|:--|:--|
-| 1 (Default) | Quick scan |
-| 2 | Full scan |
+| 1 (Default) | Quick scan. |
+| 2 | Full scan. |
@@ -2217,7 +2231,6 @@ If you disable or do not configure this setting, the default scan type will used
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
-| Registry Value Name | ScanParameters |
| ADMX File Name | WindowsDefender.admx |
@@ -2243,11 +2256,12 @@ If you disable or do not configure this setting, the default scan type will used
-This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing.
+
+This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing.
-If you enable this setting, a daily quick scan will run at the time of day specified.
+- If you enable this setting, a daily quick scan will run at the time of day specified.
-If you disable or do not configure this setting, daily quick scan controlled by this config will not be run.
+- If you disable or do not configure this setting, daily quick scan controlled by this config will not be run.
@@ -2276,7 +2290,6 @@ If you disable or do not configure this setting, daily quick scan controlled by
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
-| Registry Value Name | ScheduleQuickScanTime |
| ADMX File Name | WindowsDefender.admx |
@@ -2302,6 +2315,7 @@ If you disable or do not configure this setting, daily quick scan controlled by
+
This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all.
This setting can be configured with the following ordinal number values:
@@ -2315,9 +2329,9 @@ This setting can be configured with the following ordinal number values:
(0x7) Saturday
(0x8) Never (default)
-If you enable this setting, a scheduled scan will run at the frequency specified.
+- If you enable this setting, a scheduled scan will run at the frequency specified.
-If you disable or do not configure this setting, a scheduled scan will run at a default frequency.
+- If you disable or do not configure this setting, a scheduled scan will run at a default frequency.
@@ -2339,15 +2353,15 @@ If you disable or do not configure this setting, a scheduled scan will run at a
| Value | Description |
|:--|:--|
-| 0 (Default) | Every day |
-| 1 | Sunday |
-| 2 | Monday |
-| 3 | Tuesday |
-| 4 | Wednesday |
-| 5 | Thursday |
-| 6 | Friday |
-| 7 | Saturday |
-| 8 | No scheduled scan |
+| 0 (Default) | Every day. |
+| 1 | Sunday. |
+| 2 | Monday. |
+| 3 | Tuesday. |
+| 4 | Wednesday. |
+| 5 | Thursday. |
+| 6 | Friday. |
+| 7 | Saturday. |
+| 8 | No scheduled scan. |
@@ -2361,7 +2375,6 @@ If you disable or do not configure this setting, a scheduled scan will run at a
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
-| Registry Value Name | ScheduleDay |
| ADMX File Name | WindowsDefender.admx |
@@ -2387,11 +2400,12 @@ If you disable or do not configure this setting, a scheduled scan will run at a
-This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing.
+
+This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing.
-If you enable this setting, a scheduled scan will run at the time of day specified.
+- If you enable this setting, a scheduled scan will run at the time of day specified.
-If you disable or do not configure this setting, a scheduled scan will run at a default time.
+- If you disable or do not configure this setting, a scheduled scan will run at a default time.
@@ -2420,7 +2434,6 @@ If you disable or do not configure this setting, a scheduled scan will run at a
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Scan |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
-| Registry Value Name | ScheduleTime |
| ADMX File Name | WindowsDefender.admx |
@@ -2446,9 +2459,10 @@ If you disable or do not configure this setting, a scheduled scan will run at a
+
This policy setting allows you to define the security intelligence location for VDI-configured computers.
-If you disable or do not configure this setting, security intelligence will be referred from the default local source.
+- If you disable or do not configure this setting, security intelligence will be referred from the default local source.
@@ -2500,13 +2514,14 @@ If you disable or do not configure this setting, security intelligence will be r
-This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”
+
+This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares"
For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
-If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+- If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
-If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order.
+- If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order.
@@ -2559,11 +2574,12 @@ If you disable or do not configure this setting, security intelligence update so
+
This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default.
-If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+- If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
-If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
+- If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
@@ -2616,11 +2632,12 @@ If you disable or do not configure this setting, the list will remain empty by d
+
This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).
-If you enable this setting, checks for security intelligence updates will occur at the interval specified.
+- If you enable this setting, checks for security intelligence updates will occur at the interval specified.
-If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval.
+- If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval.
@@ -2649,7 +2666,6 @@ If you disable or do not configure this setting, checks for security intelligenc
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates |
-| Registry Value Name | SignatureUpdateInterval |
| ADMX File Name | WindowsDefender.admx |
@@ -2675,6 +2691,7 @@ If you disable or do not configure this setting, checks for security intelligenc
+
This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set.
Possible options are:
@@ -2720,7 +2737,6 @@ Possible options are:
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > MAPS |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet |
-| Registry Value Name | SubmitSamplesConsent |
| ADMX File Name | WindowsDefender.admx |
@@ -2746,7 +2762,8 @@ Possible options are:
-Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 – Low severity threats2 – Moderate severity threats4 – High severity threats5 – Severe threatsThe following list shows the supported values for possible actions:1 – Clean. Service tries to recover files and try to disinfect. 2 – Quarantine. Moves files to quarantine. 3 – Remove. Removes files from system. 6 – Allow. Allows file/does none of the above actions. 8 – User defined. Requires user to make a decision on which action to take. 10 – Block. Blocks file execution.
+
+Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 - Low severity threats2 - Moderate severity threats4 - High severity threats5 - Severe threatsThe following list shows the supported values for possible actions:2 - Quarantine. Moves files to quarantine. 3 - Remove. Removes files from system. 6 - Allow. Allows file/does none of the above actions. 8 - User defined. Requires user to make a decision on which action to take. 10 - Block. Blocks file execution.
@@ -2773,7 +2790,6 @@ Allows an administrator to specify any valid threat severity levels and the corr
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Antivirus > Threats |
| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats |
-| Registry Value Name | Threats_ThreatSeverityDefaultAction |
| ADMX File Name | WindowsDefender.admx |
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 95f4178efd..fe04df23d4 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -1,1595 +1,1744 @@
---
-title: Policy CSP - DeliveryOptimization
-description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization.
+title: DeliveryOptimization Policy CSP
+description: Learn more about the DeliveryOptimization Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 06/09/2020
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DeliveryOptimization
->[!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> [!TIP]
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## DeliveryOptimization policies
+
+## DOAbsoluteMaxCacheSize
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOAbsoluteMaxCacheSize
+```
+
-
+
+
+Specifies the maximum size in GB of Delivery Optimization cache.
-
-**DeliveryOptimization/DOAbsoluteMaxCacheSize**
+This policy overrides the DOMaxCacheSize policy.
-
+The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+**Group policy mapping**:
-> [!div class = "checklist"]
-> * Device
+| Name | Value |
+|:--|:--|
+| Name | AbsoluteMaxCacheSize |
+| Friendly Name | Absolute Max Cache Size (in GB) |
+| Element Name | Absolute Max Cache Size (in GB) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
+
+
+
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
+
+
+## DOAllowVPNPeerCaching
-Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-The default value is 10.
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOAllowVPNPeerCaching
+```
+
-
-
-ADMX Info:
-- GP Friendly name: *Absolute Max Cache Size (in GB)*
-- GP name: *AbsoluteMaxCacheSize*
-- GP element: *AbsoluteMaxCacheSize*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+
-
-
+
+
+
-
+
+**Description framework properties**:
-
-**DeliveryOptimization/DOAllowVPNPeerCaching**
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
+
+**Allowed values**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not allowed. |
+| 1 | Allowed. |
+
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | AllowVPNPeerCaching |
+| Friendly Name | Enable Peer Caching while the device connects via VPN |
+| Element Name | Enable Peer Caching while the device connects via VPN |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
-
+
+## DOCacheHost
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost
+```
+
-Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This policy means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
-
-
-
-ADMX Info:
-- GP Friendly name: *Enable Peer Caching while the device connects via VPN*
-- GP name: *AllowVPNPeerCaching*
-- GP element: *AllowVPNPeerCaching*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default) - Not allowed.
-- 1 - Allowed.
-
-
-
-
-
-
-
-**DeliveryOptimization/DOCacheHost**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy allows you to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization.
+
+
+This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s).
One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
+
-
-
-ADMX Info:
-- GP Friendly name: *Cache Server Hostname*
-- GP name: *CacheHost*
-- GP element: *CacheHost*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-**DeliveryOptimization/DOCacheHostSource**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy allows you to configure one or more Delivery Optimizations in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
-
-
-
-ADMX Info:
-- GP Friendly name: *Cache Server Hostname Source*
-- GP name: *CacheHostSource*
-- GP element: *CacheHostSource*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-The following are the supported values:
-- 1 = DHCP Option ID.
-- 2 = DHCP Option ID Force.
-
-When DHCP Option ID (1) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value. This policy will be overridden when the [Cache Server Hostname](#deliveryoptimization-docachehost) policy has been set.
-
-When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value, and will override the Cache Server Hostname policy if it has been set.
-
-> [!Note]
-> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#deliveryoptimization-docachehost) policy value if that value has been set.
-
-
-
-
-
-
-
-
-
-
-
-
-
-**DeliveryOptimization/DODelayBackgroundDownloadFromHttp**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer.
-
-After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from peers. A download that is waiting for peer sources will appear to be stuck for the end user. The recommended value is 1 hour (3600).
-
-
-
-ADMX Info:
-- GP Friendly name: *Delay background download from http (in secs)*
-- GP name: *DelayBackgroundDownloadFromHttp*
-- GP element: *DelayBackgroundDownloadFromHttp*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-
-
-
-
-**DeliveryOptimization/DODelayCacheServerFallbackBackground**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download.
-
+
+
> [!NOTE]
-> The [DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp) policy takes precedence over this policy to allow downloads from peers first.
+> Clients don't talk to multiple Microsoft Connected Cache (MCC) servers at the same time. If you configure a list of MCC servers in this policy, the clients will round robin until they successfully connect to an MCC server. The clients have no way to determine if the MCC server has the content or not. If the MCC server doesn't have the content, it caches the content as it is handing the content back to the client.
+
-
-
-ADMX Info:
-- GP Friendly name: *Delay Background download Cache Server fallback (in seconds)*
-- GP name: *DelayCacheServerFallbackBackground*
-- GP element: *DelayCacheServerFallbackBackground*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+**Description framework properties**:
-
-
-This policy is specified in seconds.
-Supported values: 0 - one month (in seconds)
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
-
-
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | CacheHost |
+| Friendly Name | Cache Server Hostname |
+| Element Name | Cache Server |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
+
+
+
-
-**DeliveryOptimization/DODelayCacheServerFallbackForeground**
+
-
+
+## DOCacheHostSource
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHostSource
+```
+
-
-
+
+
+This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically.
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+Options available are:
-> [!div class = "checklist"]
-> * Device
+0 = Disable DNS-SD.
-
+1 = DHCP Option 235.
-
-
-Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download.
+2 = DHCP Option 235 Force.
+If this policy is not configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client will not use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured.
+
+
+
+
> [!NOTE]
-> The [DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp) policy takes precedence over this policy to allow downloads from peers first.
+> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#docachehost) policy value if that value has been set.
+
-
-
-ADMX Info:
-- GP Friendly name: *Delay Foreground download Cache Server fallback (in seconds)*
-- GP name: *DelayCacheServerFallbackForeground*
-- GP element: *DelayCacheServerFallbackForeground*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+**Description framework properties**:
-
-
-This policy is specified in seconds.
-Supported values: 0 - one month (in seconds)
-
-
-
-
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
-
+
+**Group policy mapping**:
-
-**DeliveryOptimization/DODelayForegroundDownloadFromHttp**
+| Name | Value |
+|:--|:--|
+| Name | CacheHostSource |
+| Friendly Name | Cache Server Hostname Source |
+| Element Name | Cache Server Hostname Source |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## DODelayBackgroundDownloadFromHttp
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayBackgroundDownloadFromHttp
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+This policy allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.
-
+After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
-
-
-This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer.
+**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user.
-After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
+The recommended value is 1 hour (3600).
+
-A download that is waiting for peer sources, will appear to be stuck for the end user.
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DelayBackgroundDownloadFromHttp |
+| Friendly Name | Delay background download from http (in secs) |
+| Element Name | Delay background download from http (in secs) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DODelayCacheServerFallbackBackground
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayCacheServerFallbackBackground
+```
+
+
+
+
+Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. **Note** that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2592000]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DelayCacheServerFallbackBackground |
+| Friendly Name | Delay Background download Cache Server fallback (in seconds) |
+| Element Name | Delay Background download Cache Server fallback (in secs) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DODelayCacheServerFallbackForeground
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayCacheServerFallbackForeground
+```
+
+
+
+
+Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. **Note** that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-2592000]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DelayCacheServerFallbackForeground |
+| Friendly Name | Delay Foreground download Cache Server fallback (in seconds) |
+| Element Name | Delay Foreground download Cache Server fallback (in secs) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DODelayForegroundDownloadFromHttp
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayForegroundDownloadFromHttp
+```
+
+
+
+
+This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
+
+After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
+
+**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 minute (60).
+
-
-
-ADMX Info:
-- GP Friendly name: *Delay Foreground download from http (in secs)*
-- GP name: *DelayForegroundDownloadFromHttp*
-- GP element: *DelayForegroundDownloadFromHttp*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
-The following list shows the supported values as number of seconds:
+
+**Description framework properties**:
-- 0 to 86400 (1 day)
-- 0 - managed by the cloud service
-- Default isn't configured.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
-
-
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | DelayForegroundDownloadFromHttp |
+| Friendly Name | Delay Foreground download from http (in secs) |
+| Element Name | Delay Foreground download from http (in secs) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
-**DeliveryOptimization/DODownloadMode**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## DODisallowCacheServerDownloadsOnVPN
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODisallowCacheServerDownloadsOnVPN
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN.
+
-> [!div class = "checklist"]
-> * Device
+
+
+
-
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Allowed. |
+| 1 | Not allowed. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowCacheHostWithVPN |
+| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat |
+| Element Name | DisallowCacheServerDownloadsOnVPN |
+
+
+
+
+
+
+
+
+
+## DODownloadMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode
+```
+
+
+
+
+Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
+
+
+
+
> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
+> The Delivery Optimization service on the clients checks to see if there are peers and/or an MCC server which contains the content and determines the best source for the content.
+
+
+**Description framework properties**:
-Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
-ADMX Info:
-- GP Friendly name: *Download Mode*
-- GP name: *DownloadMode*
-- GP element: *DownloadMode*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+**Allowed values**:
-
-
-The following list shows the supported values:
+| Value | Description |
+|:--|:--|
+| 0 (Default) | HTTP only, no peering. |
+| 1 | HTTP blended with peering behind the same NAT. |
+| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. |
+| 3 | HTTP blended with Internet peering. |
+| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. |
+| 100 | Bypass mode. Windows 10: Do not use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. |
+
-- 0 – HTTP only, no peering.
-- 1 (default) – HTTP blended with peering behind the same NAT.
-- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
-- 3 – HTTP blended with Internet peering.
-- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
-- 100 - Bypass mode. Don't use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. This value is deprecated and will be removed in a future release.
-
-
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | DownloadMode |
+| Friendly Name | Download Mode |
+| Element Name | Download Mode |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
-**DeliveryOptimization/DOGroupId**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## DOGroupId
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupId
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to.
-> [!div class = "checklist"]
-> * Device
+Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN.
-
+**Note** this is a best effort optimization and should not be relied on for an authentication of identity.
+
-
-
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | GroupId |
+| Friendly Name | Group ID |
+| Element Name | Group ID |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DOGroupIdSource
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupIdSource
+```
+
+
+
+
+Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+
+
+
+
> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
+> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
+
+
+**Description framework properties**:
-This policy specifies an arbitrary group ID that the device belongs to. Use this ID if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN. This approach is a best effort optimization and shouldn't be relied on for an authentication of identity.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-> [!NOTE]
-> You must use a GUID as the group ID.
+
+**Allowed values**:
-
-
-ADMX Info:
-- GP Friendly name: *Group ID*
-- GP name: *GroupId*
-- GP element: *GroupId*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Unset. |
+| 1 | AD site. |
+| 2 | Authenticated domain SID. |
+| 3 | DHCP user option. |
+| 4 | DNS suffix. |
+| 5 | AAD. |
+
-
-
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | GroupIdSource |
+| Friendly Name | Select the source of Group IDs |
+| Element Name | Source of Group IDs |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
-**DeliveryOptimization/DOGroupIdSource**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## DOMaxBackgroundDownloadBandwidth
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory.
-
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
-
-For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
-
-Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this task, set the value of DOGroupIdSource to 5.
-
-
-
-ADMX Info:
-- GP Friendly name: *Select the source of Group IDs*
-- GP name: *GroupIdSource*
-- GP element: *GroupIdSource*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-The following list shows the supported values:
-
-- 1 - Active Directory site
-- 2 - Authenticated domain SID
-- 3 - DHCP user option
-- 4 - DNS suffix
-- 5 - Azure Active Directory
-
-
-
-
-
-
-
-**DeliveryOptimization/DOMaxBackgroundDownloadBandwidth**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
+
+
+Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
-
-
-ADMX Info:
-- GP Friendly name: *Maximum Background Download Bandwidth (in KB/s)*
-- GP name: *MaxBackgroundDownloadBandwidth*
-- GP element: *MaxBackgroundDownloadBandwidth*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
-
-**DeliveryOptimization/DOMaxCacheAge**
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | MaxBackgroundDownloadBandwidth |
+| Friendly Name | Maximum Background Download Bandwidth (in KB/s) |
+| Element Name | Maximum Background Download Bandwidth (in KB/s) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## DOMaxCacheAge
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxCacheAge
+```
+
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
+
+
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
+
+
+
+
-Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607.
+
+**Description framework properties**:
-The default value is 259200 seconds (three days).
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
-
-
-ADMX Info:
-- GP Friendly name: *Max Cache Age (in seconds)*
-- GP name: *MaxCacheAge*
-- GP element: *MaxCacheAge*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | MaxCacheAge |
+| Friendly Name | Max Cache Age (in seconds) |
+| Element Name | Max Cache Age (in seconds) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
+
+
+
-
-**DeliveryOptimization/DOMaxCacheSize**
+
-
+
+## DOMaxCacheSize
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxCacheSize
+```
+
-
-
+
+
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-100]` |
+| Default Value | 0 |
+
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
+
+**Group policy mapping**:
+| Name | Value |
+|:--|:--|
+| Name | MaxCacheSize |
+| Friendly Name | Max Cache Size (percentage) |
+| Element Name | Max Cache Size (Percentage) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
+
+
+
-The default value is 20.
+
-
-
-ADMX Info:
-- GP Friendly name: *Max Cache Size (percentage)*
-- GP name: *MaxCacheSize*
-- GP element: *MaxCacheSize*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+## DOMaxForegroundDownloadBandwidth
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxForegroundDownloadBandwidth
+```
+
-
-**DeliveryOptimization/DOMaxDownloadBandwidth**
-
-
-
-
-
-
-
-
-
-
-
-
-This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptimization-domaxforegrounddownloadbandwidth) and [DOMaxBackgroundDownloadBandwidth](#deliveryoptimization-domaxbackgrounddownloadbandwidth) policies instead.
-
-
-
-
-
-
-
-
-
-**DeliveryOptimization/DOMaxForegroundDownloadBandwidth**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
+
+
+Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
-
-
-ADMX Info:
-- GP Friendly name: *Maximum Foreground Download Bandwidth (in KB/s)*
-- GP name: *MaxForegroundDownloadBandwidth*
-- GP element: *MaxForegroundDownloadBandwidth*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
-
-**DeliveryOptimization/DOMaxUploadBandwidth**
+
+**Group policy mapping**:
-
-
-
+| Name | Value |
+|:--|:--|
+| Name | MaxForegroundDownloadBandwidth |
+| Friendly Name | Maximum Foreground Download Bandwidth (in KB/s) |
+| Element Name | Maximum Foreground Download Bandwidth (in KB/s) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
-
+
+
+
-This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which isn't used in commercial deployments. There's no alternate policy to use.
+
-
-
-
-
+
+## DOMinBackgroundQos
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
-
-**DeliveryOptimization/DOMinBackgroundQos**
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinBackgroundQos
+```
+
-
+
+
+Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-4294967295]` |
+| Default Value | 0 |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+**Group policy mapping**:
-> [!div class = "checklist"]
-> * Device
+| Name | Value |
+|:--|:--|
+| Name | MinBackgroundQos |
+| Friendly Name | Minimum Background QoS (in KB/s) |
+| Element Name | Minimum Background QoS (in KB/s) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
+
+
+
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
+
+
+## DOMinBatteryPercentageAllowedToUpload
-Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-The default value is 500.
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
+```
+
-
-
-ADMX Info:
-- GP Friendly name: *Minimum Background QoS (in KB/s)*
-- GP name: *MinBackgroundQos*
-- GP element: *MinBackgroundQos*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+
+Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery).
-
-
+The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy.
-
+The value 0 means "not-limited"; The cloud service set default value will be used.
+
-
-**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**
+
+
+
-
+
+**Description framework properties**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-100]` |
+| Default Value | 0 |
+
+
+**Group policy mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | MinBatteryPercentageAllowedToUpload |
+| Friendly Name | Allow uploads while the device is on battery while under set Battery level (percentage) |
+| Element Name | Minimum battery level (Percentage) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
-
+
+## DOMinDiskSizeAllowedToPeer
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinDiskSizeAllowedToPeer
+```
+
-The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
+
+
+Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used.
-
-
-ADMX Info:
-- GP Friendly name: *Allow uploads while the device is on battery while under set Battery level (percentage)*
-- GP name: *MinBatteryPercentageAllowedToUpload*
-- GP element: *MinBatteryPercentageAllowedToUpload*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-
-
-
-
-**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
-
-
-Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB.
+Recommended values: 64 GB to 256 GB.
> [!NOTE]
-> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
-
-The default value is 32 GB.
-
-
-
-ADMX Info:
-- GP Friendly name: *Minimum disk size allowed to use Peer Caching (in GB)*
-- GP name: *MinDiskSizeAllowedToPeer*
-- GP element: *MinDiskSizeAllowedToPeer*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-
-
-
-
-**DeliveryOptimization/DOMinFileSizeToCache**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
-
-
-Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB.
-
-The default value is 100 MB.
-
-
-
-ADMX Info:
-- GP Friendly name: *Minimum Peer Caching Content File Size (in MB)*
-- GP name: *MinFileSizeToCache*
-- GP element: *MinFileSizeToCache*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-
-
-
-
-**DeliveryOptimization/DOMinRAMAllowedToPeer**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
-
-
-Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
-
-The default value is 4 GB.
-
-
-
-ADMX Info:
-- GP Friendly name: *Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)*
-- GP name: *MinRAMAllowedToPeer*
-- GP element: *MinRAMAllowedToPeer*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-
-
-
-
-**DeliveryOptimization/DOModifyCacheDrive**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
-
-
-Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
-
-By default, %SystemDrive% is used to store the cache.
-
-
-
-ADMX Info:
-- GP Friendly name: *Modify Cache Drive*
-- GP name: *ModifyCacheDrive*
-- GP element: *ModifyCacheDrive*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-
-
-
-
-**DeliveryOptimization/DOMonthlyUploadDataCap**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
-
-
-Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
-
-The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
-
-The default value is 20.
-
-
-
-ADMX Info:
-- GP Friendly name: *Monthly Upload Data Cap (in GB)*
-- GP name: *MonthlyUploadDataCap*
-- GP element: *MonthlyUploadDataCap*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
-
-
-
-
-
-
-
-**DeliveryOptimization/DOPercentageMaxBackgroundBandwidth**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
+> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-100000]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | MinDiskSizeAllowedToPeer |
+| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) |
+| Element Name | Minimum disk size allowed to use Peer Caching (in GB) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DOMinFileSizeToCache
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinFileSizeToCache
+```
+
+
+
+
+Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-100000]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | MinFileSizeToCache |
+| Friendly Name | Minimum Peer Caching Content File Size (in MB) |
+| Element Name | Minimum Peer Caching Content File Size (in MB) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DOMinRAMAllowedToPeer
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinRAMAllowedToPeer
+```
+
+
+
+
+Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-100000]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | MinRAMAllowedToPeer |
+| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
+| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DOModifyCacheDrive
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOModifyCacheDrive
+```
+
+
+
+
+Specifies the drive Delivery Optimization shall use for its cache.
+
+By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ModifyCacheDrive |
+| Friendly Name | Modify Cache Drive |
+| Element Name | Modify Cache Drive |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DOMonthlyUploadDataCap
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMonthlyUploadDataCap
+```
+
+
+
+
+Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit is applied if 0 is set. The default value is 5120 (5 TB).
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 0 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | MonthlyUploadDataCap |
+| Friendly Name | Monthly Upload Data Cap (in GB) |
+| Element Name | Monthly Upload Data Cap (in GB) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DOPercentageMaxBackgroundBandwidth
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOPercentageMaxBackgroundBandwidth
+```
+
+
+
+
+Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
+
+The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
+
+
+
+
Downloads from LAN peers won't be throttled even when this policy is set.
+
-
-
-ADMX Info:
-- GP Friendly name: *Maximum Background Download Bandwidth (percentage)*
-- GP name: *PercentageMaxBackgroundBandwidth*
-- GP element: *PercentageMaxBackgroundBandwidth*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-100]` |
+| Default Value | 0 |
+
-
+
+**Group policy mapping**:
-
-**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
+| Name | Value |
+|:--|:--|
+| Name | PercentageMaxBackgroundBandwidth |
+| Friendly Name | Maximum Background Download Bandwidth (percentage) |
+| Element Name | Maximum Background Download Bandwidth (Percentage) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
+
+
+
-
-This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth) and [DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth) policies instead.
+
-
-
+
+## DOPercentageMaxForegroundBandwidth
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
-**DeliveryOptimization/DOPercentageMaxForegroundBandwidth**
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOPercentageMaxForegroundBandwidth
+```
+
-
+
+
+Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
+
+
+
+
-
-
+
+**Description framework properties**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-100]` |
+| Default Value | 0 |
+
-> [!div class = "checklist"]
-> * Device
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | PercentageMaxForegroundBandwidth |
+| Friendly Name | Maximum Foreground Download Bandwidth (percentage) |
+| Element Name | Maximum Foreground Download Bandwidth (Percentage) |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
-
-Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
+
+
+
-Downloads from LAN peers won't be throttled even when this policy is set.
+
-
-
-ADMX Info:
-- GP Friendly name: *Maximum Foreground Download Bandwidth (percentage)*
-- GP name: *PercentageMaxForegroundBandwidth*
-- GP element: *PercentageMaxForegroundBandwidth*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+## DORestrictPeerSelectionBy
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DORestrictPeerSelectionBy
+```
+
-
-**DeliveryOptimization/DORestrictPeerSelectionBy**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
Set this policy to restrict peer selection via selected option.
-In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently, the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore it means that there is no peering between subnets. The default value in Windows 11 is set to "Local Peer Discovery".
+Options available are:
+0 = NAT.
+1 = Subnet mask.
+2 = Local discovery (DNS-SD).
+
+The default value has changed from 0 (no restriction) to 1 (restrict to the subnet).
+
+These options apply to both Download Mode LAN (1) and Group (2).
+
+
+
+
If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
-The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds.
+In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. The default value in Windows 11 is set to 'Local Peer Discovery'. The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds.
+
-
-
-ADMX Info:
-- GP Friendly name: *Select a method to restrict Peer Selection*
-- GP name: *RestrictPeerSelectionBy*
-- GP element: *RestrictPeerSelectionBy*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+
+**Description framework properties**:
-
-
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-- 0 - NAT
-- 1 - Subnet mask
-- 2 - Local Peer Discovery
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | None. |
+| 1 | Subnet mask. |
+| 2 | Local peer discovery (DNS-SD). |
+
-
+
+**Group policy mapping**:
-
-**DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth**
+| Name | Value |
+|:--|:--|
+| Name | RestrictPeerSelectionBy |
+| Friendly Name | Select a method to restrict Peer Selection |
+| Element Name | Restrict Peer Selection By |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## DOSetHoursToLimitBackgroundDownloadBandwidth
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
+```
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set Business Hours to Limit Background Download Bandwidth*
-- GP name: *SetHoursToLimitBackgroundDownloadBandwidth*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetHoursToLimitBackgroundDownloadBandwidth |
+| Friendly Name | Set Business Hours to Limit Background Download Bandwidth |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
+
+
+
+
+
+## DOSetHoursToLimitForegroundDownloadBandwidth
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
+```
+
+
+
+
+Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+
+
+
+
This policy allows an IT Admin to define the following details:
- Business hours range (for example 06:00 to 18:00)
- % of throttle for background traffic during business hours
- % of throttle for background traffic outside of business hours
+
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-**DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth**
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | SetHoursToLimitForegroundDownloadBandwidth |
+| Friendly Name | Set Business Hours to Limit Foreground Download Bandwidth |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
+
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## DOVpnKeywords
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOVpnKeywords
+```
+
-
-
-Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+
+
+This policy allows you to set one or more keywords used to recognize VPN connections.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set Business Hours to Limit Foreground Download Bandwidth*
-- GP name: *SetHoursToLimitForegroundDownloadBandwidth*
-- GP path: *Windows Components/Delivery Optimization*
-- GP ADMX file name: *DeliveryOptimization.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `,`) |
+
-
-
-This policy allows an IT Admin to define the following details:
+
+**Group policy mapping**:
-- Business hours range (for example 06:00 to 18:00)
-- % of throttle for foreground traffic during business hours
-- % of throttle for foreground traffic outside of business hours
+| Name | Value |
+|:--|:--|
+| Name | VpnKeywords |
+| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat |
+| Element Name | VpnKeywords |
+
-
-
-
+
+
+
+
-
+
+
+
-## Related topics
+
+
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
-
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 1cd8888461..1cc683a423 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -1,92 +1,96 @@
---
-title: Policy CSP - Desktop
-description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders.
+title: Desktop Policy CSP
+description: Learn more about the Desktop Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - Desktop
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## Desktop policies
+
+## PreventUserRedirectionOfProfileFolders
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/Desktop/PreventUserRedirectionOfProfileFolders
+```
+
-
-
-
-**Desktop/PreventUserRedirectionOfProfileFolders**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-
-
-
-
-
-This policy setting prevents users from changing the path to their profile folders.
+
+
+Prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
-If you enable this setting, users are unable to type a new location in the Target box.
+- If you enable this setting, users are unable to type a new location in the Target box.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Prohibit User from manually redirecting Profile Folders*
-- GP name: *DisablePersonalDirChange*
-- GP path: *Desktop*
-- GP ADMX file name: *desktop.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+**ADMX mapping**:
+| Name | Value |
+|:--|:--|
+| Name | DisablePersonalDirChange |
+| Friendly Name | Prohibit User from manually redirecting Profile Folders |
+| Location | User Configuration |
+| Path | Desktop |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
+| Registry Value Name | DisablePersonalDirChange |
+| ADMX File Name | Desktop.admx |
+
-
+
+
+
-## Related topics
+
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index f6f865422e..36f2988560 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -1,595 +1,707 @@
---
-title: Policy CSP - DesktopAppInstaller
-description: Learn about the Policy CSP - DesktopAppInstaller.
-ms.author: v-aljupudi
+title: DesktopAppInstaller Policy CSP
+description: Learn more about the DesktopAppInstaller Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 01/09/2023
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: alekyaj
-ms.date: 08/24/2022
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DesktopAppInstaller
->[!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> [!TIP]
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
-
+
+## EnableAdditionalSources
-
-## DesktopAppInstaller policies
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAdditionalSources
+```
+
+
+
+This policy controls additional sources provided by the enterprise IT administrator.
-
+- If you do not configure this policy, no additional sources will be configured for the [Windows Package Manager](/windows/package-manager/).
-
-**DesktopAppInstaller/EnableAdditionalSources**
+- If you enable this policy, the additional sources will be added to the [Windows Package Manager](/windows/package-manager/) and cannot be removed. The representation for each additional source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'.
-
+- If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/).
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
+**Description framework properties**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-> [!div class = "checklist"]
-> * Device
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-
-
-This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/).
+| Name | Value |
+|:--|:--|
+| Name | EnableAdditionalSources |
+| Friendly Name | Enable App Installer Additional Sources |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableAdditionalSources |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-If you don't configure this setting, no additional sources will be configured for Windows Package Manager.
+
+
+
-If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/).
+
-If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
+
+## EnableAllowedSources
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
-ADMX Info:
-- GP Friendly name: *Enable Additional Windows Package Manager Sources*
-- GP name: *EnableAdditionalSources*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAllowedSources
+```
+
-
-
+
+
+This policy controls additional sources allowed by the enterprise IT administrator.
-
+- If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy.
+- If you enable this policy, only the sources specified can be added or removed from the [Windows Package Manager](/windows/package-manager/). The representation for each allowed source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'.
-
-**DesktopAppInstaller/EnableAppInstaller**
+- If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/).
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-> [!div class = "checklist"]
-> * Device
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | EnableAllowedSources |
+| Friendly Name | Enable App Installer Allowed Sources |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableAllowedSources |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-
-
-This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.
+
+
+
-- If you enable or don't configure this setting, users will be able to use the Windows Package Manager.
-- If you disable this setting, users won't be able to use the Windows Package Manager.
+
-
+
+## EnableAppInstaller
-
-ADMX Info:
-- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users*
-- GP name: *EnableAppInstaller*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAppInstaller
+```
+
-
+
+
+This policy controls whether the [Windows Package Manager](/windows/package-manager/) can be used by users.
-
-**DesktopAppInstaller/EnableDefaultSource**
+- If you enable or do not configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/).
-
+- If you disable this setting, users will not be able to use the [Windows Package Manager](/windows/package-manager/).
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.
+
-
-
+
+**Description framework properties**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-> [!div class = "checklist"]
-> * Device
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | EnableAppInstaller |
+| Friendly Name | Enable App Installer |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableAppInstaller |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-This policy controls the default source included with the Windows Package Manager.
-If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed.
-- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed.
-- If you disable this setting the default source for the Windows Package Manager won't be available.
+
+
+
-
+
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Default Source*
-- GP name: *EnableDefaultSource*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+## EnableDefaultSource
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableDefaultSource
+```
+
-
-**DesktopAppInstaller/EnableLocalManifestFiles**
+
+
+This policy controls the default source included with the [Windows Package Manager](/windows/package-manager/).
-
+- If you do not configure this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and can be removed.
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+- If you enable this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed.
-
-
+- If you disable this setting the default source for the [Windows Package Manager](/windows/package-manager/) will not be available.
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+
-> [!div class = "checklist"]
-> * Device
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableDefaultSource |
+| Friendly Name | Enable App Installer Default Source |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableDefaultSource |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
+
+## EnableExperimentalFeatures
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableExperimentalFeatures
+```
+
+
+
+
+This policy controls whether users can enable experimental features in the [Windows Package Manager](/windows/package-manager/).
+
+- If you enable or do not configure this setting, users will be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/).
+
+- If you disable this setting, users will not be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/).
+
+
+
+
+Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableExperimentalFeatures |
+| Friendly Name | Enable App Installer Experimental Features |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableExperimentalFeatures |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
+
+## EnableHashOverride
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableHashOverride
+```
+
+
+
+
+This policy controls whether or not the [Windows Package Manager](/windows/package-manager/) can be configured to enable the ability override the SHA256 security validation in settings.
+
+- If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings.
+
+- If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableHashOverride |
+| Friendly Name | Enable App Installer Hash Override |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableHashOverride |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
+
+## EnableLocalManifestFiles
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableLocalManifestFiles
+```
+
+
+
+
This policy controls whether users can install packages with local manifest files.
-- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
-- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager.
+- If you enable or do not configure this setting, users will be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/).
-
+- If you disable this setting, users will not be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/).
+
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Local Manifest Files*
-- GP name: *EnableLocalManifestFiles*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
-
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-**DesktopAppInstaller/EnableHashOverride**
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | EnableLocalManifestFiles |
+| Friendly Name | Enable App Installer Local Manifest Files |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableLocalManifestFiles |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
+
+## EnableMicrosoftStoreSource
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMicrosoftStoreSource
+```
+
-This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest.
+
+
+This policy controls the Microsoft Store source included with the [Windows Package Manager](/windows/package-manager/).
-- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings.
+- If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
-- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings.
+- If you enable this setting, the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed.
-
+- If you disable this setting the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will not be available.
+
-
-ADMX Info:
-- GP Friendly name: *Enable App Installer Hash Override*
-- GP name: *EnableHashOverride*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-**DesktopAppInstaller/EnableMicrosoftStoreSource**
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | EnableMicrosoftStoreSource |
+| Friendly Name | Enable App Installer Microsoft Store Source |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableMicrosoftStoreSource |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
+
+## EnableMSAppInstallerProtocol
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMSAppInstallerProtocol
+```
+
-This policy controls the Microsoft Store source included with the Windows Package Manager.
-If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
-- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed.
-- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source*
-- GP name: *EnableMicrosoftStoreSource*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-**DesktopAppInstaller/EnableMSAppInstallerProtocol**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol.
+
+
+This policy controls whether users can install packages from a website that is using the ms-appinstaller protocol.
- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol.
- If you disable this setting, users will not be able to install packages from websites that use this protocol.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableMSAppInstallerProtocol |
+| Friendly Name | Enable App Installer ms-appinstaller protocol |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableMSAppInstallerProtocol |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
+
+## EnableSettings
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableSettings
+```
+
+
+
+
+This policy controls whether users can change their settings.
+
+- If you enable or do not configure this setting, users will be able to change settings for the [Windows Package Manager](/windows/package-manager/).
+
+- If you disable this setting, users will not be able to change settings for the [Windows Package Manager](/windows/package-manager/).
+
+
+
+
+The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableSettings |
+| Friendly Name | Enable App Installer Settings |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| Registry Value Name | EnableSettings |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
+
+## SourceAutoUpdateInterval
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/SourceAutoUpdateInterval
+```
+
+
+
+
+This policy controls the auto update interval for package-based sources.
+
+- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/).
+
+- If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/).
+
+
+
+
+The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
+
+
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SourceAutoUpdateInterval |
+| Friendly Name | Set App Installer Source Auto Update Interval In Minutes |
+| Location | Computer Configuration |
+| Path | Windows Components > Desktop App Installer |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
+| ADMX File Name | DesktopAppInstaller.admx |
+
-
-ADMX Info:
-- GP Friendly name: *Enable MS App Installer Protocol*
-- GP name: *EnableMSAppInstallerProtocol*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
-
-
+
-
+
+
+
+
+
+
+## Related articles
-
-**DesktopAppInstaller/EnableSettings**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy.
-
-- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager.
-- If you disable this setting, users will not be able to change settings for Windows Package Manager.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Settings Command*
-- GP name: *EnableSettings*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-**DesktopAppInstaller/EnableAllowedSources**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy.
-
-- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export.
-- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Settings Command*
-- GP name: *EnableAllowedSources*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-**DesktopAppInstaller/EnableExperimentalFeatures**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.
-
-- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager.
-
-- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Enable Windows Package Manager Experimental Features*
-- GP name: *EnableExperimentalFeatures*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-**DesktopAppInstaller/SourceAutoUpdateInterval**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-
-This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
-
-- If you enable this setting, the number of minutes specified will be used by Windows Package Manager.
-
-- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager.
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes*
-- GP name: *SourceAutoUpdateInterval*
-- GP path: *Administrative Templates\Windows Components\App Package Deployment*
-- GP ADMX file name: *AppxPackageManager.admx*
-
-
-
-
-
-
-
-
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index c7f637d5a7..cb8e92e349 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -1,259 +1,351 @@
---
-title: Policy CSP - DeviceGuard
-description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard.
+title: DeviceGuard Policy CSP
+description: Learn more about the DeviceGuard Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DeviceGuard
+
+
+
-
+
+## ConfigureSystemGuardLaunch
-
-## DeviceGuard policies
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch
+```
+
+
+
+Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch.
+
-
-
-
-**DeviceGuard/ConfigureSystemGuardLaunch**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy allows the IT admin to configure the launch of System Guard.
-
-Secure Launch configuration:
-
-- 0 - Unmanaged, configurable by Administrative user
-- 1 - Enables Secure Launch if supported by hardware
-- 2 - Disables Secure Launch.
-
+
+
For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
+
-
-
-ADMX Info:
-- GP Friendly name: *Turn On Virtualization Based Security*
-- GP name: *VirtualizationBasedSecurity*
-- GP element: *SystemGuardDrop*
-- GP path: *System/Device Guard*
-- GP ADMX file name: *DeviceGuard.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Unmanaged Configurable by Administrative user. |
+| 1 | Unmanaged Enables Secure Launch if supported by hardware. |
+| 2 | Unmanaged Disables Secure Launch. |
+
-
-
+
+**Group policy mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Element Name | Secure Launch Configuration |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| ADMX File Name | DeviceGuard.admx |
+
-
-**DeviceGuard/EnableVirtualizationBasedSecurity**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## EnableVirtualizationBasedSecurity
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity
+```
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+
+Specifies whether Virtualization Based Security is enabled.
-> [!div class = "checklist"]
-> * Device
+Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices.
-
+Virtualization Based Protection of Code Integrity
-
-
-Turns on virtualization based security(VBS) at the next reboot. Virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
+This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature.
-
-
-ADMX Info:
-- GP Friendly name: *Turn On Virtualization Based Security*
-- GP name: *VirtualizationBasedSecurity*
-- GP path: *System/Device Guard*
-- GP ADMX file name: *DeviceGuard.admx*
+The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the "Enabled without lock" option.
-
-
-The following list shows the supported values:
+The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
-- 0 (default) - disable virtualization based security.
-- 1 - enable virtualization based security.
+The "Enabled without lock" option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.
-
-
+The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
-
+The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility.
-
-**DeviceGuard/LsaCfgFlags**
+> [!WARNING]
+> All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible.
-
+Credential Guard
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials.
+For Windows 11 21. H2 and earlier, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option. For later versions, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option or was "Not Configured".
-
-
+The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+The "Enabled without lock" option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).
-> [!div class = "checklist"]
-> * Device
+For Windows 11 21. H2 and earlier, the "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. For later versions, if there is no current setting in the registry, the "Not Configured" option will enable Credential Guard without UEFI lock.
-
+Secure Launch
-
-
+This setting sets the configuration of Secure Launch to secure the boot chain.
+
+The "Not Configured" setting is the default, and allows configuration of the feature by Administrative users.
+
+The "Enabled" option turns on Secure Launch on supported hardware.
+
+The "Disabled" option turns off Secure Launch, regardless of hardware support.
+
+Kernel-mode Hardware-enforced Stack Protection
+
+This setting enables Hardware-enforced Stack Protection for kernel-mode code. When this security feature is enabled, kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered.
+
+This security feature has the following prerequisites
+1) The CPU hardware supports hardware-based shadow stacks.
+2) Virtualization Based Protection of Code Integrity is enabled.
+
+If either prerequisite is not met, this feature will not be enabled, even if an "Enabled" option is selected for this feature. **Note** that selecting an "Enabled" option for this feature will not automatically enable Virtualization Based Protection of Code Integrity, that needs to be done separately.
+
+Devices that enable this security feature must be running at least Windows 11 (Version 22. H2).
+
+The "Disabled" option turns off kernel-mode Hardware-enforced Stack Protection.
+
+The "Enabled in audit mode" option enables kernel-mode Hardware-enforced Stack Protection in audit mode, where shadow stack violations are not fatal and will be logged to the system event log.
+
+The "Enabled in enforcement mode" option enables kernel-mode Hardware-enforced Stack Protection in enforcement mode, where shadow stack violations are fatal.
+
+The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
+
+> [!WARNING]
+> All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, refer to
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags
+```
+
+
+
+
+Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. |
+| 1 | (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. |
+| 2 | (Enabled without lock) Turns on Credential Guard without UEFI lock. |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Element Name | Credential Guard Configuration |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| ADMX File Name | DeviceGuard.admx |
+
+
+
+
+
+
+
+
+
+## RequirePlatformSecurityFeatures
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures
+```
+
+
+
+
+Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
+
+
+
+
This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
+
-
-
-ADMX Info:
-- GP Friendly name: *Turn On Virtualization Based Security*
-- GP name: *VirtualizationBasedSecurity*
-- GP element: *CredentialIsolationDrop*
-- GP path: *System/Device Guard*
-- GP ADMX file name: *DeviceGuard.admx*
+
+**Description framework properties**:
-
-
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 1 |
+
-- 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock.
-- 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
-- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock.
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Turns on VBS with Secure Boot. |
+| 3 | Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. |
+
-
+
+**Group policy mapping**:
-
-**DeviceGuard/RequirePlatformSecurityFeatures**
+| Name | Value |
+|:--|:--|
+| Name | VirtualizationBasedSecurity |
+| Friendly Name | Turn On Virtualization Based Security |
+| Element Name | Select Platform Security Level |
+| Location | Computer Configuration |
+| Path | System > Device Guard |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
+| ADMX File Name | DeviceGuard.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Windows SE|No|No|
-|Business|No|No|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This setting specifies the platform security level at the next reboot. Value type is integer.
-
-
-
-ADMX Info:
-- GP Friendly name: *Turn On Virtualization Based Security*
-- GP name: *VirtualizationBasedSecurity*
-- GP element: *RequirePlatformSecurityFeaturesDrop*
-- GP path: *System/Device Guard*
-- GP ADMX file name: *DeviceGuard.admx*
-
-
-
-The following list shows the supported values:
-
-- 1 (default) - Turns on VBS with Secure Boot.
-- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
-
-
-
-
-
-
-
-
-
-## Related topics
+## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 9b12315551..cd689bed30 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -1,189 +1,208 @@
---
-title: Policy CSP - DeviceHealthMonitoring
-description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft.
+title: DeviceHealthMonitoring Policy CSP
+description: Learn more about the DeviceHealthMonitoring Area in Policy CSP.
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - DeviceHealthMonitoring
+
+
+
+
+## AllowDeviceHealthMonitoring
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-
-## DeviceHealthMonitoring policies
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring
+```
+
-
-
+
+
+Enable/disable 4. Nines device health monitoring on devices.
+
-
-
-
-
-**DeviceHealthMonitoring/AllowDeviceHealthMonitoring**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it.
+
-
-
-The following list shows the supported values:
+
+**Description framework properties**:
-- 1 -The DeviceHealthMonitoring connection is enabled.
-- 0 - (default)—The DeviceHealthMonitoring connection is disabled.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
-
-
+
+**Allowed values**:
-
-
+| Value | Description |
+|:--|:--|
+| 1 | The DeviceHealthMonitoring connection is enabled. |
+| 0 (Default) | The DeviceHealthMonitoring connection is disabled. |
+
-
-
+
+
+
-
+
-
-**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope**
+
+## ConfigDeviceHealthMonitoringScope
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope
+```
+
+
+
+If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored.
+
-
-
+
+
+This policy is applicable only if the [AllowDeviceHealthMonitoring](#allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection. IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+**Description framework properties**:
-> [!div class = "checklist"]
-> * Device
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringScope_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
-
+
+
+
-
-
-This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
-This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection.
-IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
+
+
+## ConfigDeviceHealthMonitoringServiceInstance
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringServiceInstance
+```
+
-
-
+
+
+If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which service instance to which events are to be uploaded.
+
-
-
+
+
+
-
+
+**Description framework properties**:
-
-**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringServiceInstance_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+## ConfigDeviceHealthMonitoringUploadDestination
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination
+```
+
-> [!div class = "checklist"]
-> * Device
+
+
+If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded.
+
-
-
-
-
-This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
+
+
+This policy is applicable only if the [AllowDeviceHealthMonitoring](#allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios.
In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked.
Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service.
+
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringUploadDestination_DependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
+
-
-
+
+
+
-
-
+
-
-
-
+
+
+
+
+## Related articles
-
-
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index de68aa4b4e..0696c7e877 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -1,135 +1,100 @@
---
-title: Policy CSP - DeviceInstallation
-ms.reviewer:
+title: DeviceInstallation Policy CSP
+description: Learn more about the DeviceInstallation Area in Policy CSP.
+author: vinaypamnani-msft
manager: aaroncz
-description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install.
ms.author: vinpa
-ms.date: 09/27/2019
-ms.topic: article
+ms.date: 01/09/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
+ms.topic: reference
---
+
+
+
# Policy CSP - DeviceInstallation
->[!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
-
-
-
-
-## DeviceInstallation policies
-
-
-
-
-
-
-
-
-### DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting allows you to specify a list of plug-and-play hardware IDs and compatible IDs for devices that Windows is allowed to install.
-
> [!TIP]
-> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+
+
+
+## AllowInstallationOfMatchingDeviceIDs
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
+```
+
+
+
+
+This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
+- Prevent installation of devices that match these device IDs
+- Prevent installation of devices that match any of these device instance IDs
+If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-- Prevent installation of devices that match these device IDs.
-- Prevent installation of devices that match any of these device instance IDs.
+NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
-If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
+Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
-> [!NOTE]
-> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
+- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
-
-If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-
-If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+- If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+
+
+
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-ADMX Info:
-- GP Friendly name: *Allow installation of devices that match any of these device IDs*
-- GP name: *DeviceInstall_IDs_Allow*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_IDs_Allow |
+| Friendly Name | Allow installation of devices that match any of these device IDs |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | AllowDeviceIDs |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter.
-
```xml
+
+## AllowInstallationOfMatchingDeviceInstanceIDs
-
-### DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install.
-
-> [!TIP]
-> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
+
+
+This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
+- Prevent installation of devices that match any of these device instance IDs
+If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-- Prevent installation of devices that match any of these device instance IDs.
-
-If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-
-> [!NOTE]
-> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
+NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
-If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+- If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+
+
+
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Allow installation of devices that match any of these device instance IDs*
-- GP name: *DeviceInstall_Instance_IDs_Allow*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Instance_IDs_Allow |
+| Friendly Name | Allow installation of devices that match any of these device instance IDs |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | AllowInstanceIDs |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
To enable this policy, use the following SyncML.
``` xml
@@ -250,88 +213,90 @@ To enable this policy, use the following SyncML.
+
+## AllowInstallationOfMatchingDeviceSetupClasses
-
-### DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install.
-
-> [!TIP]
-> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
+
+
+This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions.
When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:
-
- Prevent installation of devices for these device classes
- Prevent installation of devices that match these device IDs
- Prevent installation of devices that match any of these device instance IDs
+If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.
-
-> [!NOTE]
-> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
+NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.
Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting).
-If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+- If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
+
+
+
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Allow installation of devices using drivers that match these device setup classes*
-- GP name: *DeviceInstall_Classes_Allow*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Classes_Allow |
+| Friendly Name | Allow installation of devices using drivers that match these device setup classes |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | AllowDeviceClasses |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
To enable this policy, use the following SyncML. This example allows Windows to install:
- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318}
@@ -340,7 +305,6 @@ To enable this policy, use the following SyncML. This example allows Windows to
Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter.
-
```xml
+
+## EnableInstallationPolicyLayering
-
-### DeviceInstallation/EnableInstallationPolicyLayering
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-Added in Windows 10, Version 2106
-
-
-
-
+
+
This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
Device instance IDs > Device IDs > Device setup class > Removable devices
-**Device instance IDs**
+Device instance IDs
-- Prevent installation of devices using drivers that match these device instance IDs.
-- Allow installation of devices using drivers that match these device instance IDs.
+1. Prevent installation of devices using drivers that match these device instance IDs
+2. Allow installation of devices using drivers that match these device instance IDs
-**Device IDs**
-- Prevent installation of devices using drivers that match these device IDs.
-- Allow installation of devices using drivers that match these device IDs.
+Device IDs
-**Device setup class**
-- Prevent installation of devices using drivers that match these device setup classes.
-- Allow installation of devices using drivers that match these device setup classes.
+3. Prevent installation of devices using drivers that match these device IDs
+4. Allow installation of devices using drivers that match these device IDs
-**Removable devices**
-- Prevent installation of removable devices.
+Device setup class
-> [!NOTE]
-> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
+5. Prevent installation of devices using drivers that match these device setup classes
+6. Allow installation of devices using drivers that match these device setup classes
-If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
+Removable devices
-
+7. Prevent installation of removable devices
+NOTE: This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
-
-ADMX Info:
-- GP Friendly name: *Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria*
-- GP name: *DeviceInstall_Allow_Deny_Layered*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+- If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
+
-
-
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Allow_Deny_Layered |
+| Friendly Name | Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | AllowDenyLayered |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
```xml
+
+## PreventDeviceMetadataFromNetwork
-
-### DeviceInstallation/PreventDeviceMetadataFromNetwork
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventDeviceMetadataFromNetwork
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet.
-If you enable this policy setting, Windows doesn't retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab).
+- If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab).
-If you disable or don't configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
+- If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Prevent device metadata retrieval from the Internet*
-- GP name: *DeviceMetadata_PreventDeviceMetadataFromNetwork*
-- GP path: *System/Device Installation*
-- GP ADMX file name: *DeviceSetup.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | DeviceMetadata_PreventDeviceMetadataFromNetwork |
+| Friendly Name | Prevent device metadata retrieval from the Internet |
+| Location | Computer Configuration |
+| Path | System > Device Installation |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Device Metadata |
+| Registry Value Name | PreventDeviceMetadataFromNetwork |
+| ADMX File Name | DeviceSetup.admx |
+
-
-
+
+
+
-
+
-
-### DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
+
+## PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
+```
+
+
+
+This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting.
-
-
+NOTE: This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+- If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting.
-> [!div class = "checklist"]
-> * Device
+- If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
+
-
+
+
+
-
-
-This policy setting allows you to prevent the installation of devices that aren't described by any other policy setting.
+
+**Description framework properties**:
-> [!NOTE]
-> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that isn't described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-If you disable or don't configure this policy setting, Windows is allowed to install or update the driver package for any device that isn't described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting.
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Unspecified_Deny |
+| Friendly Name | Prevent installation of devices not described by other policy settings |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | DenyUnspecified |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+**Example**:
-
-ADMX Info:
-- GP Friendly name: *Prevent installation of devices not described by other policy settings*
-- GP name: *DeviceInstall_Unspecified_Deny*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
-
-
-
-
-
-
To enable this policy, use the following SyncML. This example prevents Windows from installing devices that aren't described by any other policy setting.
-
```xml
+
+## PreventInstallationOfMatchingDeviceIDs
-
-### DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.
-> [!NOTE]
-> To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
+NOTE: To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting.
-If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+- If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create.
+- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+- If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+
+
+
Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Prevent installation of devices that match any of these device IDs*
-- GP name: *DeviceInstall_IDs_Deny*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-
+**ADMX mapping**:
-
-
-
-To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use  as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_IDs_Deny |
+| Friendly Name | Prevent installation of devices that match any of these device IDs |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | DenyDeviceIDs |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+**Example**:
+
+To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
```xml
+
+## PreventInstallationOfMatchingDeviceInstanceIDs
-
-### DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
+```
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
-If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+- If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create.
+- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+- If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+
+
+
Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Prevent installation of devices that match any of these device instance IDs*
-- GP name: *DeviceInstall_Instance_IDs_Deny*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
-
-
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DeviceInstall_Instance_IDs_Deny |
+| Friendly Name | Prevent installation of devices that match any of these device instance IDs |
+| Location | Computer Configuration |
+| Path | System > Device Installation > Device Installation Restrictions |
+| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions |
+| Registry Value Name | DenyInstanceIDs |
+| ADMX File Name | DeviceInstallation.admx |
+
+
+
+
+**Example**:
-
-
To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with device instance IDs of USB\VID_1F75 and USB\VID_0781. To configure multiple classes, use `` as a delimiter.
``` xml
@@ -806,6 +796,9 @@ To enable this policy, use the following SyncML. This example prevents Windows f
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -No | -Yes | -
| Business | -No | -Yes | -
| Enterprise | -No | -Yes | -
| Education | -No | -Yes | -
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Configure App Install Control* -- GP name: *ConfigureAppInstallControl* -- GP path: *Windows Components/Windows Defender SmartScreen/Explorer* -- GP ADMX file name: *SmartScreen.admx* +| Value | Description | +|:--|:--| +| 0 (Default) | Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. | +| 1 | Turns on Application Installation Control, allowing users to only install apps from the Store. | + - - -The following list shows the supported values: + +**Group policy mapping**: -- 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. -- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store. +| Name | Value | +|:--|:--| +| Name | ConfigureAppInstallControl | +| Friendly Name | Configure App Install Control | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\SmartScreen | +| Registry Value Name | ConfigureAppInstallControlEnabled | +| ADMX File Name | SmartScreen.admx | + - - + + + -
| Edition | -Windows 11 | -
|---|---|
| Home | -No | -
| Pro | -Yes | -
| Business | -Yes | -
| Enterprise | -Yes | -
| Education | -Yes | -
Assigned to:
Assigned to:
Assigned to: